Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2014-0160
PUBLISHEDThe (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote...
- Vendor
- OpenSSL
- Product
- OpenSSL
- Published
- Apr 07, 2014
- EPSS
- —
Description
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AV:N/AC:L/Au:N/C:P/I:N/A:N
Exploitation status
Exploited in the wild
Recorded 2022-05-04 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- Yes
- Technical impact
- partial
References
- https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217
- http://www.securitytracker.com/id/1030077
- http://seclists.org/fulldisclosure/2014/Apr/90
- http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/
- http://www.debian.org/security/2014/dsa-2896
- http://marc.info/?l=bugtraq&m=139774054614965&w=2
- http://marc.info/?l=bugtraq&m=139889113431619&w=2
- http://rhn.redhat.com/errata/RHSA-2014-0396.html
- http://marc.info/?l=bugtraq&m=139835815211508&w=2
- http://marc.info/?l=bugtraq&m=141287864628122&w=2
- http://www.kb.cert.org/vuls/id/720951
- http://www.splunk.com/view/SP-CAAAMB3
- http://marc.info/?l=bugtraq&m=139905295427946&w=2
- http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
- http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf
- http://marc.info/?l=bugtraq&m=139833395230364&w=2
- http://www-01.ibm.com/support/docview.wss?uid=swg21670161
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html
- http://marc.info/?l=bugtraq&m=142660345230545&w=2
- http://seclists.org/fulldisclosure/2014/Apr/109
- http://marc.info/?l=bugtraq&m=140724451518351&w=2
- http://www.securitytracker.com/id/1030080
- http://secunia.com/advisories/57836
- http://www-01.ibm.com/support/docview.wss?uid=isg400001843
- http://marc.info/?l=bugtraq&m=139808058921905&w=2
- http://marc.info/?l=bugtraq&m=139758572430452&w=2
- http://www.securityfocus.com/bid/66690
- http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf
- https://filezilla-project.org/versions.php?type=server
- http://marc.info/?l=bugtraq&m=139843768401936&w=2
- http://secunia.com/advisories/57483
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
- http://www.kerio.com/support/kerio-control/release-history
- http://advisories.mageia.org/MGASA-2014-0165.html
- http://www.blackberry.com/btsc/KB35882
- http://marc.info/?l=bugtraq&m=142660345230545&w=2
- http://marc.info/?l=bugtraq&m=140075368411126&w=2
- http://marc.info/?l=bugtraq&m=139905351928096&w=2
- http://www.securitytracker.com/id/1030081
- http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1084875
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
- http://www-01.ibm.com/support/docview.wss?uid=isg400001841
- http://marc.info/?l=bugtraq&m=139824993005633&w=2
- http://www.securitytracker.com/id/1030079
- http://rhn.redhat.com/errata/RHSA-2014-0377.html
- http://marc.info/?l=bugtraq&m=139722163017074&w=2
- http://marc.info/?l=bugtraq&m=139889295732144&w=2
- https://code.google.com/p/mod-spdy/issues/detail?id=85
- http://marc.info/?l=bugtraq&m=139765756720506&w=2
- http://marc.info/?l=bugtraq&m=139774703817488&w=2
- http://marc.info/?l=bugtraq&m=139905202427693&w=2
- http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/
- http://heartbleed.com/
- http://marc.info/?l=bugtraq&m=139817782017443&w=2
- http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01
- http://marc.info/?l=bugtraq&m=140015787404650&w=2
- http://cogentdatahub.com/ReleaseNotes.html
- http://marc.info/?l=bugtraq&m=139869720529462&w=2
- http://marc.info/?l=bugtraq&m=139842151128341&w=2
- http://marc.info/?l=bugtraq&m=139905243827825&w=2
- http://marc.info/?l=bugtraq&m=139905458328378&w=2
- http://www.f-secure.com/en/web/labs_global/fsc-2014-1
- http://www.us-cert.gov/ncas/alerts/TA14-098A
- http://secunia.com/advisories/57347
- https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html
- http://seclists.org/fulldisclosure/2014/Apr/173
- https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html
- https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
- http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f379b0c154650d6c108e9a3
- https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://marc.info/?l=bugtraq&m=139905653828999&w=2
- http://www.ubuntu.com/usn/USN-2165-1
- http://rhn.redhat.com/errata/RHSA-2014-0378.html
- http://marc.info/?l=bugtraq&m=139757919027752&w=2
- http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html
- http://www.exploit-db.com/exploits/32764
- http://marc.info/?l=bugtraq&m=139757726426985&w=2
- http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00
- http://marc.info/?l=bugtraq&m=139869891830365&w=2
- http://marc.info/?l=bugtraq&m=139905868529690&w=2
- http://marc.info/?l=bugtraq&m=139817685517037&w=2
- http://marc.info/?l=bugtraq&m=140752315422991&w=2
- http://seclists.org/fulldisclosure/2014/Apr/91
- http://www.securitytracker.com/id/1030078
- http://secunia.com/advisories/59243
- http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661
- http://marc.info/?l=bugtraq&m=139836085512508&w=2
- http://marc.info/?l=bugtraq&m=139824923705461&w=2
- http://rhn.redhat.com/errata/RHSA-2014-0376.html
- http://marc.info/?l=bugtraq&m=139835844111589&w=2
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:062
- https://www.cert.fi/en/reports/2014/vulnerability788210.html
- http://secunia.com/advisories/57721
- http://secunia.com/advisories/57968
- http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/
- http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3
- http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html
- http://marc.info/?l=bugtraq&m=139905405728262&w=2
- http://www.securitytracker.com/id/1030082
- http://marc.info/?l=bugtraq&m=139757819327350&w=2
- http://www.exploit-db.com/exploits/32745
- http://seclists.org/fulldisclosure/2014/Apr/190
- http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
- http://marc.info/?l=bugtraq&m=139817727317190&w=2
- https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008
- http://www.openssl.org/news/secadv_20140407.txt
- https://gist.github.com/chapmajs/10473815
- http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1
- http://www.securitytracker.com/id/1030074
- http://support.citrix.com/article/CTX140605
- http://secunia.com/advisories/59139
- http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/
- http://secunia.com/advisories/57966
- http://www.securitytracker.com/id/1030026
- http://secunia.com/advisories/59347
- https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E
- https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html
- https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E
- https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf
- https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E
- https://yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | May 04, 2022 |
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-09-20 13:44:54 UTC · 0 stars
github · Created 2023-04-30 13:56:47 UTC · 0 stars
github · Created 2022-04-24 11:53:16 UTC · 0 stars
github · Created 2020-12-09 15:08:21 UTC · 0 stars
github · Created 2019-04-02 17:08:01 UTC · 0 stars
github · Created 2018-11-08 02:50:28 UTC · 0 stars
来自:https://www.freebuf.com/articles/web/31700.html
github · Created 2014-04-10 04:27:10 UTC · 0 stars
github · Created 2014-04-08 22:29:55 UTC · 0 stars
openssl Heart Bleed Exploit: CVE-2014-0160 Mass Security Auditor
github · Created 2014-04-08 14:22:36 UTC · 0 stars
github · Created 2014-04-08 09:19:49 UTC · 19 stars
Patch openssl #heartbleed with ansible
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel