CVE-2014-0160

critical-risk

Published 2014-04-07

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Do I need to act?

94.5% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

CISA KEV: actively exploited in the wild

On the Known Exploited Vulnerabilities catalog — federal agencies must patch

4 public exploits available

32764, 32791, 32998 and 1 more

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Application Processing Engine Firmware

Elan-8.2

V100 Firmware

V60 Firmware

Micollab

Mivoice

Opensuse

Ubuntu Linux

Storage

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Server Aus

Enterprise Linux Server Eus

Enterprise Linux Server Tus

Enterprise Linux Workstation

Debian Linux

Affected Vendors

Ricon Fedoraproject Siemens Broadcom Filezilla-Project Openssl Splunk Opensuse Intellian Debian Canonical Redhat Mitel

References (257)

Third Party Advisory http://advisories.mageia.org/MGASA-2014-0165.html

Issue Tracking http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/

Release Notes http://cogentdatahub.com/ReleaseNotes.html

Broken Link http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01

Broken Link http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f37...

Third Party Advisory http://heartbleed.com/

Broken Link http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html

Broken Link http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html

Mailing List http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htm...

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html

Mailing List http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html

Mailing List http://marc.info/?l=bugtraq&m=139722163017074&w=2

Mailing List http://marc.info/?l=bugtraq&m=139757726426985&w=2

Mailing List http://marc.info/?l=bugtraq&m=139757819327350&w=2

Mailing List http://marc.info/?l=bugtraq&m=139757919027752&w=2

Mailing List http://marc.info/?l=bugtraq&m=139758572430452&w=2

Mailing List http://marc.info/?l=bugtraq&m=139765756720506&w=2

Mailing List http://marc.info/?l=bugtraq&m=139774054614965&w=2

Mailing List http://marc.info/?l=bugtraq&m=139774703817488&w=2

and 237 more references

/ 100

critical-risk

Severity 26/34 · High

Exploitability 34/34 · Critical

Exposure 25/34 · High