Scribd Logo
Upload

Welcome to Scribd!

  • Cve 2014 0160

    Uploaded by

    liming
    17 views11 pages

    Original Title

    CVE-2014-0160

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    17 views11 pages

    Cve 2014 0160

    Uploaded by

    liming

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    CVE-2014-0160
    Detail
    Current Description
    The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from
    process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

    View Analysis Description

    Severity  
    CVSS
    Version 3.x CVSS
    Version 2.0

    CVSS 3.x Severity and Metrics:

    NIST: NVD Base
    Score:  7.5 HIGH

    Vector: 
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

    Note: NVD Analysts have published a CVSS score for this CVE based on publicly available information at the time of analysis. The CNA has not provided a score within the CVE List.

    Evaluator Impact
    CVSS V2 scoring evaluates the impact of the vulnerability on the host where the vulnerability is located. When evaluating the impact of this vulnerability to your organization, take into
    account the nature of the data that is being protected and act according to your organization’s risk acceptance. While CVE-2014-0160 does not allow unrestricted access to memory on the
    targeted host, a successful exploit does leak information from memory locations which have the potential to contain particularly sensitive information, e.g., cryptographic keys and
    passwords. Theft of this information could enable other attacks on the information system, the impact of which would depend on the sensitivity of the data and functions of that system.

    References to Advisories, Solutions, and Tools


    By selecting these links, you will be leaving NIST webspace.
    We have provided these links to other web sites because they
    may have information that would be of interest to you. No
    inferences should be drawn on account of other sites being
    referenced, or not, from this page. There may be other web
    sites that are more appropriate for your purpose. NIST does
    not
    necessarily endorse the views expressed, or concur with
    the facts presented on these sites. Further, NIST does not
    endorse any commercial products that may be mentioned on
    these sites.
    Please address comments about this page to nvd@nist.gov.
    Hyperlink Resource
    http://advisories.mageia.org/MGASA-2014-0165.html Third Party Advisory  
    http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/ Third Party Advisory  
    http://cogentdatahub.com/ReleaseNotes.html Release Notes  
    Third Party Advisory  
    http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01 Broken Link  
    http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 Patch  
    Vendor Advisory
     
    http://heartbleed.com/ Third Party Advisory  
    http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.html Third Party Advisory  
    http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.html Third Party Advisory  
    http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html Mailing List  
    Third Party Advisory  
    http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.html Mailing List  
    Third Party Advisory  
    http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.html Mailing List  
    Third Party Advisory  
    http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html Mailing List  
    Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139722163017074&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139757726426985&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139757819327350&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139757919027752&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139758572430452&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139765756720506&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139774054614965&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139774703817488&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139808058921905&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139817685517037&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139817727317190&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139817782017443&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139824923705461&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139824993005633&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139833395230364&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139835815211508&w=2 Third Party Advisory  
    Hyperlink Resource
    http://marc.info/?l=bugtraq&m=139835844111589&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139836085512508&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139842151128341&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139843768401936&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139869720529462&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139869891830365&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139889113431619&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139889295732144&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905202427693&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905243827825&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905295427946&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905351928096&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905405728262&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905458328378&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905653828999&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=139905868529690&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=140015787404650&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=140075368411126&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=140724451518351&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=140752315422991&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=141287864628122&w=2 Third Party Advisory  
    http://marc.info/?l=bugtraq&m=142660345230545&w=2 Third Party Advisory  
    http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=1 Third Party Advisory  
    http://public.support.unisys.com/common/public/vulnerability/NVD_Detail_Rpt.aspx?ID=3 Third Party Advisory  
    http://rhn.redhat.com/errata/RHSA-2014-0376.html Third Party Advisory  
    http://rhn.redhat.com/errata/RHSA-2014-0377.html Third Party Advisory  
    http://rhn.redhat.com/errata/RHSA-2014-0378.html Third Party Advisory  
    http://rhn.redhat.com/errata/RHSA-2014-0396.html Third Party Advisory  
    http://seclists.org/fulldisclosure/2014/Apr/109 Mailing List  
    Third Party Advisory  
    http://seclists.org/fulldisclosure/2014/Apr/173 Mailing List  
    Third Party Advisory  
    http://seclists.org/fulldisclosure/2014/Apr/190 Mailing List  
    Third Party Advisory  
    Hyperlink Resource
    http://seclists.org/fulldisclosure/2014/Apr/90 Mailing List  
    Third Party Advisory  
    http://seclists.org/fulldisclosure/2014/Apr/91 Mailing List  
    Third Party Advisory  
    http://seclists.org/fulldisclosure/2014/Dec/23 Mailing List  
    Third Party Advisory  
    http://secunia.com/advisories/59139 Third Party Advisory  
    http://secunia.com/advisories/59243 Third Party Advisory  
    http://secunia.com/advisories/59347 Third Party Advisory  
    http://support.citrix.com/article/CTX140605 Third Party Advisory  
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed Third Party Advisory  
    http://www-01.ibm.com/support/docview.wss?uid=isg400001841 Third Party Advisory  
    http://www-01.ibm.com/support/docview.wss?uid=isg400001843 Third Party Advisory  
    http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004661 Third Party Advisory  
    http://www-01.ibm.com/support/docview.wss?uid=swg21670161 Broken Link  
    http://www.apcmedia.com/salestools/SJHN-7RKGNM/SJHN-7RKGNM_R4_EN.pdf Third Party Advisory  
    http://www.blackberry.com/btsc/KB35882 Broken Link  
    http://www.debian.org/security/2014/dsa-2896 Third Party Advisory  
    http://www.exploit-db.com/exploits/32745 Exploit  
    Third Party Advisory  
    VDB Entry  
    http://www.exploit-db.com/exploits/32764 Exploit  
    Third Party Advisory  
    VDB Entry  
    http://www.f-secure.com/en/web/labs_global/fsc-2014-1 Third Party Advisory  
    http://www.getchef.com/blog/2014/04/09/chef-server-11-0-12-release/ Third Party Advisory  
    http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/ Third Party Advisory  
    http://www.getchef.com/blog/2014/04/09/enterprise-chef-1-4-9-release/ Third Party Advisory  
    http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/ Third Party Advisory  
    http://www.innominate.com/data/downloads/manuals/mdm_1.5.2.1_Release_Notes.pdf Not Applicable  
    http://www.kb.cert.org/vuls/id/720951 Third Party Advisory  
    US Government Resource
     
    http://www.kerio.com/support/kerio-control/release-history Third Party Advisory  
    http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 Third Party Advisory  
    Hyperlink Resource
    http://www.openssl.org/news/secadv_20140407.txt Vendor Advisory  
    http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html Third Party Advisory  
    http://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html Third Party Advisory  
    http://www.securityfocus.com/archive/1/534161/100/0/threaded Not Applicable  
    http://www.securityfocus.com/bid/66690 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030026 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030074 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030077 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030078 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030079 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030080 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030081 Third Party Advisory  
    VDB Entry  
    http://www.securitytracker.com/id/1030082 Third Party Advisory  
    VDB Entry  
    http://www.splunk.com/view/SP-CAAAMB3 Third Party Advisory  
    http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160512_00 Third Party Advisory  
    http://www.ubuntu.com/usn/USN-2165-1 Third Party Advisory  
    http://www.us-cert.gov/ncas/alerts/TA14-098A Third Party Advisory  
    US Government Resource
     
    http://www.vmware.com/security/advisories/VMSA-2014-0012.html Not Applicable  
    http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0 Not Applicable  
    https://blog.torproject.org/blog/openssl-bug-cve-2014-0160 Third Party Advisory  
    https://bugzilla.redhat.com/show_bug.cgi?id=1084875 Issue Tracking  
    Third Party Advisory  
    https://cert-portal.siemens.com/productcert/pdf/ssa-635659.pdf Third Party Advisory  
    https://code.google.com/p/mod-spdy/issues/detail?id=85 Third Party Advisory  
    Hyperlink Resource
    https://filezilla-project.org/versions.php?type=server Release Notes  
    Third Party Advisory  
    https://gist.github.com/chapmajs/10473815 Third Party Advisory  
    https://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp- Broken Link  
    navigationalState%3DdocId%253Demr_na-c04260637-
    4%257CdocLocale%253Den_US%257CcalledBy%253DSearch_Result&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken
    https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E Mailing List  
    Patch  
    Third Party Advisory  
    https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@%3Cdev.tomcat.apache.org%3E Mailing List  
    Patch  
    Third Party Advisory  
    https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@%3Cdev.tomcat.apache.org%3E Mailing List  
    Patch  
    Third Party Advisory  
    https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E Mailing List  
    Patch  
    Third Party Advisory  
    https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-April/000184.html Third Party Advisory  
    https://sku11army.blogspot.com/2020/01/heartbleed-hearts-continue-to-bleed.html Exploit  
    Third Party Advisory  
    https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html Third Party Advisory  
    https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html?sr=36517217 Third Party Advisory  
    https://www.cert.fi/en/reports/2014/vulnerability788210.html Third Party Advisory  
    https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-17-0008 Third Party Advisory  

    This CVE is in CISA's Known Exploited Vulnerabilities Catalog


    Reference CISA's BOD 22-01 and Known Exploited Vulnerabilities Catalog for further guidance and requirements.

    Vulnerability Name Date Added Due Date Required Action


    OpenSSL Information Disclosure Vulnerability 05/04/2022 05/25/2022 Apply updates per vendor instructions.

    Weakness Enumeration
    CWE-ID CWE Name Source
    CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
    NIST  

    Known Affected Software Configurations Switch


    to CPE 2.2
    Configuration 1 ( hide )


     cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
    From (including)
    Up to (excluding)

       Show Matching CPE(s) 1.0.1 1.0.1g

    Configuration 2 ( hide )


     cpe:2.3:a:filezilla-project:filezilla_server:*:*:*:*:*:*:*:*
    Up to (excluding)

       Show Matching CPE(s) 0.9.44

    Configuration 3 ( hide )


     cpe:2.3:o:siemens:application_processing_engine_firmware:2.0:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Running on/with
     cpe:2.3:h:siemens:application_processing_engine:-:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 4 ( hide )


     cpe:2.3:o:siemens:cp_1543-1_firmware:1.1:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Running on/with
     cpe:2.3:h:siemens:cp_1543-1:-:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 5 ( hide )


     cpe:2.3:o:siemens:simatic_s7-1500_firmware:1.5:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Running on/with
     cpe:2.3:h:siemens:simatic_s7-1500:-:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 6 ( hide )


     cpe:2.3:o:siemens:simatic_s7-1500t_firmware:1.5:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Running on/with
     cpe:2.3:h:siemens:simatic_s7-1500t:-:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Configuration 7 ( hide )


     cpe:2.3:a:siemens:elan-8.2:*:*:*:*:*:*:*:*
    Up to (excluding)

       Show Matching CPE(s) 8.3.3



     cpe:2.3:a:siemens:wincc_open_architecture:3.12:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 8 ( hide )


     cpe:2.3:o:intellian:v100_firmware:1.20:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:intellian:v100_firmware:1.21:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:intellian:v100_firmware:1.24:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Running on/with
     cpe:2.3:h:intellian:v100:-:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 9 ( hide )


     cpe:2.3:o:intellian:v60_firmware:1.15:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:intellian:v60_firmware:1.25:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Running on/with
     cpe:2.3:h:intellian:v60:-:*:*:*:*:*:*:*
       Show Matching CPE(s)

    Configuration 10 ( hide )


     cpe:2.3:a:mitel:micollab:6.0:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:micollab:7.0:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:micollab:7.1:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:micollab:7.2:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:micollab:7.3:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:micollab:7.3.0.104:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:mivoice:1.1.2.5:*:*:*:*:lync:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:mivoice:1.1.3.3:*:*:*:*:skype_for_business:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:mivoice:1.2.0.11:*:*:*:*:skype_for_business:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:mivoice:1.3.2.2:*:*:*:*:skype_for_business:*:*

       Show Matching CPE(s)



     cpe:2.3:a:mitel:mivoice:1.4.0.102:*:*:*:*:skype_for_business:*:*

       Show Matching CPE(s)

    Configuration 11 ( hide )


     cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 12 ( hide )


     cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
       Show Matching CPE(s)

     cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:canonical:ubuntu_linux:13.10:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 13 ( hide )


     cpe:2.3:o:fedoraproject:fedora:19:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:fedoraproject:fedora:20:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 14 ( hide )


     cpe:2.3:a:redhat:gluster_storage:2.1:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:redhat:storage:2.1:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:a:redhat:virtualization:6.0:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:redhat:enterprise_linux_server_eus:6.5:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:redhat:enterprise_linux_server_tus:6.5:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

       Show Matching CPE(s)

    Configuration 15 ( hide )


     cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

       Show Matching CPE(s)



     cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

       Show Matching CPE(s)


    Denotes Vulnerable Software

    Are we missing a CPE here? Please let us know.

    Change History
    23 change records found show changes

    You might also like