CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVSS v3.0 7.5 HIGH
CVSS v2.0 5.0 MEDIUM

7.5^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3	Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1084875	Issue Tracking Third Party Advisory
http://www.openssl.org/news/secadv_20140407.txt	Vendor Advisory
http://heartbleed.com/	Third Party Advisory
http://www.securitytracker.com/id/1030078	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2014/Apr/109	Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2014/Apr/190	Mailing List Third Party Advisory
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0376.html	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0396.html	Third Party Advisory
http://www.securitytracker.com/id/1030082	Third Party Advisory VDB Entry
http://secunia.com/advisories/57347	Third Party Advisory
http://marc.info/?l=bugtraq&m=139722163017074&w=2	Third Party Advisory
http://www.securitytracker.com/id/1030077	Third Party Advisory VDB Entry
http://www-01.ibm.com/support/docview.wss?uid=swg21670161	Broken Link
http://www.debian.org/security/2014/dsa-2896	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0377.html	Third Party Advisory
http://www.securitytracker.com/id/1030080	Third Party Advisory VDB Entry
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html	Third Party Advisory
http://www.securitytracker.com/id/1030074	Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2014/Apr/90	Mailing List Third Party Advisory
http://www.securitytracker.com/id/1030081	Third Party Advisory VDB Entry
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed	Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-0378.html	Third Party Advisory
http://seclists.org/fulldisclosure/2014/Apr/91	Mailing List Third Party Advisory
http://secunia.com/advisories/57483	Third Party Advisory
http://www.splunk.com/view/SP-CAAAMB3	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html	Third Party Advisory
http://www.securitytracker.com/id/1030079	Third Party Advisory VDB Entry
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html	Mailing List Third Party Advisory
http://secunia.com/advisories/57721	Third Party Advisory
http://www.blackberry.com/btsc/KB35882	Broken Link
http://www.securitytracker.com/id/1030026	Third Party Advisory VDB Entry
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/66690	Third Party Advisory VDB Entry
http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/	Third Party Advisory
http://www.us-cert.gov/ncas/alerts/TA14-098A	Third Party Advisory US Government Resource
http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/	Third Party Advisory
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/	Third Party Advisory
https://blog.torproject.org/blog/openssl-bug-cve-2014-0160	Third Party Advisory
http://secunia.com/advisories/57966	Third Party Advisory
http://www.f-secure.com/en/web/labs_global/fsc-2014-1	Third Party Advisory
http://seclists.org/fulldisclosure/2014/Apr/173	Mailing List Third Party Advisory
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/	Third Party Advisory
http://secunia.com/advisories/57968	Third Party Advisory
https://code.google.com/p/mod-spdy/issues/detail?id=85	Third Party Advisory
http://www.exploit-db.com/exploits/32745	Exploit Third Party Advisory VDB Entry
http://www.kb.cert.org/vuls/id/720951	Third Party Advisory US Government Resource
https://www.cert.fi/en/reports/2014/vulnerability788210.html	Third Party Advisory
http://www.exploit-db.com/exploits/32764	Exploit Third Party Advisory VDB Entry
http://secunia.com/advisories/57836	Third Party Advisory
https://gist.github.com/chapmajs/10473815	Third Party Advisory
http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/	Third Party Advisory
http://cogentdatahub.com/ReleaseNotes.html	Release Notes Third Party Advisory
http://marc.info/?l=bugtraq&m=139905458328378&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139869891830365&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139889113431619&w=2	Third Party Advisory
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1	Third Party Advisory
http://www.kerio.com/support/kerio-control/release-history	Third Party Advisory
http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3	Third Party Advisory
http://advisories.mageia.org/MGASA-2014-0165.html	Third Party Advisory
https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c04260637-4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken	Broken Link
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001843	Third Party Advisory
https://filezilla-project.org/versions.php?type=server	Release Notes Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001841	Third Party Advisory
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217	Third Party Advisory
http://marc.info/?l=bugtraq&m=141287864628122&w=2	Third Party Advisory
http://seclists.org/fulldisclosure/2014/Dec/23	Mailing List Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2014-0012.html	Not Applicable
http://marc.info/?l=bugtraq&m=142660345230545&w=2	Third Party Advisory
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0	Not Applicable
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062	Third Party Advisory
http://marc.info/?l=bugtraq&m=139817727317190&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139757726426985&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139758572430452&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905653828999&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139842151128341&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905405728262&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139833395230364&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139824993005633&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139843768401936&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905202427693&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139774054614965&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139889295732144&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139835815211508&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140724451518351&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139808058921905&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139836085512508&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139869720529462&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905868529690&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139765756720506&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140015787404650&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139824923705461&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139757919027752&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139774703817488&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905243827825&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140075368411126&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905295427946&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139835844111589&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139757819327350&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139817685517037&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139905351928096&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=139817782017443&w=2	Third Party Advisory
http://marc.info/?l=bugtraq&m=140752315422991&w=2	Third Party Advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661	Third Party Advisory
http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf	Not Applicable
http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf	Third Party Advisory
http://secunia.com/advisories/59347	Third Party Advisory
http://secunia.com/advisories/59243	Third Party Advisory
http://secunia.com/advisories/59139	Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html	Mailing List Third Party Advisory
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01	Broken Link
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html	Third Party Advisory
http://support.citrix.com/article/CTX140605	Third Party Advisory
http://www.ubuntu.com/usn/USN-2165-1	Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html	Mailing List Third Party Advisory
http://www.securityfocus.com/archive/1/534161/100/0/threaded	Not Applicable Third Party Advisory VDB Entry
https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008	Third Party Advisory
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory
https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory
https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html	Exploit Third Party Advisory
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf	Third Party Advisory
https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E	Mailing List Patch Third Party Advisory
https://yunus-shn.medium.com/ricon-industrial-cellular-router-heartbleed-attack-2634221c02bd	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:a:filezilla-project:filezilla_server:*:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:siemens:application_processing_engine_firmware:2.0:*:*:*:*:*:*:*

cpe:2.3:h:siemens:application_processing_engine:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:siemens:cp_1543-1_firmware:1.1:*:*:*:*:*:*:*

cpe:2.3:h:siemens:cp_1543-1:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:siemens:simatic_s7-1500_firmware:1.5:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_s7-1500:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:siemens:simatic_s7-1500t_firmware:1.5:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_s7-1500t:-:*:*:*:*:*:*:*

Configuration 7 (hide)

OR	cpe:2.3:a:siemens:elan-8.2::::::::
	cpe:2.3:a:siemens:wincc_open_architecture:3.12:::::::*

Configuration 8 (hide)

AND

OR	cpe:2.3:o:intellian:v100_firmware:1.20:::::::*
	cpe:2.3:o:intellian:v100_firmware:1.21:::::::*
	cpe:2.3:o:intellian:v100_firmware:1.24:::::::*

cpe:2.3:h:intellian:v100:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

OR	cpe:2.3:o:intellian:v60_firmware:1.15:::::::*
	cpe:2.3:o:intellian:v60_firmware:1.25:::::::*

cpe:2.3:h:intellian:v60:-:*:*:*:*:*:*:*

Configuration 10 (hide)

OR	cpe:2.3:a:mitel:micollab:6.0:::::::*
	cpe:2.3:a:mitel:micollab:7.0:::::::*
	cpe:2.3:a:mitel:micollab:7.1:::::::*
	cpe:2.3:a:mitel:micollab:7.2:::::::*
	cpe:2.3:a:mitel:micollab:7.3.0.104:::::::*
	cpe:2.3:a:mitel:micollab:7.3:::::::*
	cpe:2.3:a:mitel:mivoice:1.1.3.3:::::skype_for_business::
	cpe:2.3:a:mitel:mivoice:1.2.0.11:::::skype_for_business::
	cpe:2.3:a:mitel:mivoice:1.3.2.2:::::skype_for_business::
	cpe:2.3:a:mitel:mivoice:1.4.0.102:::::skype_for_business::
	cpe:2.3:a:mitel:mivoice:1.1.2.5:::::lync::

Configuration 11 (hide)

OR	cpe:2.3:o:opensuse:opensuse:12.3:::::::*
	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

Configuration 12 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:13.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::

Configuration 13 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:20:::::::*
	cpe:2.3:o:fedoraproject:fedora:19:::::::*

Configuration 14 (hide)

OR	cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:::::::*
	cpe:2.3:a:redhat:storage:2.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:::::::*
	cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
	cpe:2.3:a:redhat:gluster_storage:2.1:::::::*
	cpe:2.3:a:redhat:virtualization:6.0:::::::*

Configuration 15 (hide)

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:7.0:::::::*
	cpe:2.3:o:debian:debian_linux:6.0:::::::*

Configuration 16 (hide)

AND

cpe:2.3:o:ricon:s9922l_firmware:16.10.3\(3794\):*:*:*:*:*:*:*

cpe:2.3:h:ricon:s9922l:1.0:*:*:*:*:*:*:*

Information

Published : 2014-04-07 15:55

Updated : 2023-02-10 08:58

NVD link : CVE-2014-0160

Mitre link : CVE-2014-0160

JSON object : View

CWE

CWE-125

Out-of-bounds Read

Products Affected

intellian

v100
v100_firmware
v60_firmware
v60

ricon

s9922l
s9922l_firmware

redhat

enterprise_linux_server
enterprise_linux_server_aus
enterprise_linux_workstation
gluster_storage
enterprise_linux_server_eus
enterprise_linux_desktop
virtualization
enterprise_linux_server_tus
storage

siemens

application_processing_engine
elan-8.2
application_processing_engine_firmware
simatic_s7-1500
simatic_s7-1500_firmware
wincc_open_architecture
cp_1543-1_firmware
simatic_s7-1500t
simatic_s7-1500t_firmware
cp_1543-1

canonical

ubuntu_linux

fedoraproject

fedora

debian

debian_linux

opensuse

opensuse

mitel

micollab
mivoice

filezilla-project

filezilla_server

openssl

openssl

7.5 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

JSON object

Attach tags to CVE-2014-0160

7.5^/10

5.0^/10

Attach tags to `CVE-2014-0160`