CVE-2014-0160 - Vulncode-DB

Note:

This project will be discontinued after December 13, 2021. [more]

CVE-2014-0160 (NVD)

2014-04-07

Heartbleed - The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Products	Ubuntu_linux, Debian_linux, Fedora, Filezilla_server, V100_firmware, V60_firmware, Micollab, Mivoice, Openssl, Opensuse, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Gluster_storage, Storage, Virtualization, S9922l_firmware, Application_processing_engine_firmware, Cp_1543\-1_firmware, Elan\-8\.2, Simatic_s7\-1500_firmware, Simatic_s7\-1500t_firmware, Wincc_open_architecture
Type	Out-of-bounds Read (CWE-125)
First patch	http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3
Relevant file/s	• ./ssl/t1_lib.c • ./ssl/d1_both.c • ./CHANGES (modified, +9)
Links	• http://www.openssl.org/news/secadv_20140407.txt • http://secunia.com/advisories/57347 • http://heartbleed.com/ • http://www.securityfocus.com/bid/66690 • http://support.citrix.com/article/CTX140605 More/Less (123) • https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken • http://marc.info/?l=bugtraq&m=139905458328378&w=2 • http://marc.info/?l=bugtraq&m=139722163017074&w=2 • http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/ • http://www-01.ibm.com/support/docview.wss?uid=isg400001841 • https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E • http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 • http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01 • http://marc.info/?l=bugtraq&m=139765756720506&w=2 • https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E • http://www-01.ibm.com/support/docview.wss?uid=isg400001843 • http://secunia.com/advisories/59347 • http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3 • https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html • http://marc.info/?l=bugtraq&m=139905868529690&w=2 • http://secunia.com/advisories/59139 • http://marc.info/?l=bugtraq&m=139757919027752&w=2 • http://marc.info/?l=bugtraq&m=139843768401936&w=2 • http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf • http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html • http://marc.info/?l=bugtraq&m=140075368411126&w=2 • http://marc.info/?l=bugtraq&m=139905202427693&w=2 • http://marc.info/?l=bugtraq&m=139757819327350&w=2 • http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html • https://code.google.com/p/mod-spdy/issues/detail?id=85 • http://www.securitytracker.com/id/1030080 • http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html • http://marc.info/?l=bugtraq&m=139833395230364&w=2 • https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html • http://advisories.mageia.org/MGASA-2014-0165.html • http://marc.info/?l=bugtraq&m=139774703817488&w=2 • http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1 • http://www.exploit-db.com/exploits/32764 • http://marc.info/?l=bugtraq&m=139817782017443&w=2 • http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html • http://www.f-secure.com/en/web/labs_global/fsc-2014-1 • http://marc.info/?l=bugtraq&m=139905243827825&w=2 • http://www.securitytracker.com/id/1030082 • http://www.securityfocus.com/archive/1/534161/100/0/threaded • http://marc.info/?l=bugtraq&m=139905351928096&w=2 • http://marc.info/?l=bugtraq&m=140752315422991&w=2 • http://marc.info/?l=bugtraq&m=139905653828999&w=2 • http://rhn.redhat.com/errata/RHSA-2014-0377.html • http://marc.info/?l=bugtraq&m=141287864628122&w=2 • http://seclists.org/fulldisclosure/2014/Apr/109 • http://seclists.org/fulldisclosure/2014/Apr/190 • http://secunia.com/advisories/57721 • http://marc.info/?l=bugtraq&m=139824923705461&w=2 • http://rhn.redhat.com/errata/RHSA-2014-0378.html • http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00 • http://marc.info/?l=bugtraq&m=139817685517037&w=2 • http://marc.info/?l=bugtraq&m=139835815211508&w=2 • http://secunia.com/advisories/59243 • https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008 • http://marc.info/?l=bugtraq&m=139905295427946&w=2 • http://marc.info/?l=bugtraq&m=139869891830365&w=2 • http://rhn.redhat.com/errata/RHSA-2014-0396.html • http://www.kerio.com/support/kerio-control/release-history • http://marc.info/?l=bugtraq&m=139835844111589&w=2 • http://secunia.com/advisories/57836 • http://marc.info/?l=bugtraq&m=139905405728262&w=2 • https://gist.github.com/chapmajs/10473815 • http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 • http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed • http://secunia.com/advisories/57966 • http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf • http://seclists.org/fulldisclosure/2014/Apr/91 • https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 • http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ • https://www.cert.fi/en/reports/2014/vulnerability788210.html • https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html • http://marc.info/?l=bugtraq&m=140724451518351&w=2 • http://marc.info/?l=bugtraq&m=139836085512508&w=2 • http://seclists.org/fulldisclosure/2014/Apr/173 • http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html • http://www.blackberry.com/btsc/KB35882 • http://secunia.com/advisories/57483 • http://rhn.redhat.com/errata/RHSA-2014-0376.html • https://bugzilla.redhat.com/show_bug.cgi?id=1084875 • http://seclists.org/fulldisclosure/2014/Dec/23 • https://filezilla-project.org/versions.php?type=server • http://www.securitytracker.com/id/1030078 • https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E • http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html • http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ • http://www.us-cert.gov/ncas/alerts/TA14-098A • http://www.securitytracker.com/id/1030079 • http://seclists.org/fulldisclosure/2014/Apr/90 • http://www.securitytracker.com/id/1030026 • http://marc.info/?l=bugtraq&m=139808058921905&w=2 • http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/ • http://www.ubuntu.com/usn/USN-2165-1 • http://www.vmware.com/security/advisories/VMSA-2014-0012.html • http://www.exploit-db.com/exploits/32745 • http://www.securitytracker.com/id/1030081 • http://marc.info/?l=bugtraq&m=139889295732144&w=2 • http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661 • https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf • http://marc.info/?l=bugtraq&m=139817727317190&w=2 • http://www.splunk.com/view/SP-CAAAMB3 • https://yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd • http://www.securitytracker.com/id/1030074 • http://www-01.ibm.com/support/docview.wss?uid=swg21670161 • http://secunia.com/advisories/57968 • http://marc.info/?l=bugtraq&m=139889113431619&w=2 • http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html • https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E • https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217 • http://cogentdatahub.com/ReleaseNotes.html • http://marc.info/?l=bugtraq&m=142660345230545&w=2 • http://marc.info/?l=bugtraq&m=139869720529462&w=2 • http://marc.info/?l=bugtraq&m=139757726426985&w=2 • http://marc.info/?l=bugtraq&m=139758572430452&w=2 • http://www.securitytracker.com/id/1030077 • http://www.kb.cert.org/vuls/id/720951 • http://marc.info/?l=bugtraq&m=140015787404650&w=2 • http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ • http://marc.info/?l=bugtraq&m=139824993005633&w=2 • http://www.debian.org/security/2014/dsa-2896 • http://marc.info/?l=bugtraq&m=139774054614965&w=2 • http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f379b0c154650d6c108e9a3 • http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html • http://marc.info/?l=bugtraq&m=139842151128341&w=2
Last changed by	Ruslan Habalov

Detailed repository view

The Hearbleed bug is an issue with the Heartbeat protocol that is used for [...]. It allows an attacker to exfiltrate up to 16 KB memory data from a target running a vulnerable OpenSSL version.

`pl` points at the reserved heartbeat data buffer. This buffer will be returned back to the user later on.

Allocate up to 1 + 2 + 65535(`payload`)+16(`padding`)=65554 bytes in `buffer` referenced as `bp`. Note that there is no bounds check in place for the user-supplied payload length `payload`.

The macro s2n takes a 16-bit value and writes two bytes to `bp`.

Copies `payload` bytes (up to 64KB) from `pl` (pointing on the resulting heartbeat buffer) into `bp`. The critical part is that `payload` (the user-supplied payload length) can be greater than the actual size of the `pl` memory segment leading to an out-of-bounds read effectively copying parts of the memory into `bp`.

The `buffer` with the memory is now sent back to the user effectively allowing an attacker to leak memory from the heap.

The same bug also exists in the dtls implementation.