Professional Documents
Culture Documents
Heartbleed: CVE-2014-0160 Tanner Hildebrand August 2020
Heartbleed: CVE-2014-0160 Tanner Hildebrand August 2020
CVE-2014-0160
Tanner Hildebrand
August 2020
REFERENCES
• https://heartbleed.com/
• https://www.openssl.org/news/secadv/20140407.txt
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
• https://xkcd.com/1354/
• https://stackabuse.com/heartbleed-bug-explained/
• https://gizmodo.com/how-heartbleed-works-the-code-behind-the-internets-s
e-1561341209
• https://www.csoonline.com/article/3223203/what-is-the-heartbleed-bug-how
-does-it-work-and-how-was-it-fixed.html
• https://arstechnica.com/information-technology/2014/04/critical-crypto-bug-
exposes-yahoo-mail-passwords-russian-roulette-style/
• https://blog.malwarebytes.com/exploits-and-vulnerabilities/2019/09/everythi
ng-you-need-to-know-about-the-heartbleed-vulnerability/
ADDITIONAL
• Durumeric, Z., Payer, M., Paxson, V., Kasten, J., Adrian, D.,
Halderman, J. A., Bailey, M., Li, F., Weaver, N., Amann, J., &
Beekman, J. (2014). The Matter of Heartbleed. Proceedings of
the 2014 Conference on Internet Measurement Conference -
IMC ’14. the 2014 Conference.
https://doi.org/10.1145/2663716.2663755
HEARTBLEED
• Implementation error in OpenSSL code for RFC 6520
• Not a design flaw
• Introduced in OpenSSL version 1.0.1 in March 2012
• Discovered in early 2014
• Google Security
• Codenomicon
• Patched in OpenSSL 1.0.1g in April 2014
• “Buffer overread”
https://xkcd.com/1354/
https://xkcd.com/1354/
https://xkcd.com/1354/
https://xkcd.com/1354/
https://xkcd.com/1354/
https://xkcd.com/1354/
OFFENSIVE CODE OpenSSL 1.0.1 – 1.01f
https://stackabuse.com/heartbleed-bug-explained/
IMPACT
• Any data allocated on the heap around the pl pointer might be
exposed.
• Server
• Client
https://arstechnica.com/information-technology/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/
PATCHED OpenSSL 1.0.1g
https://stackabuse.com/heartbleed-bug-explained/
DEMONSTRATION
• http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Networking/Hea
rtbleed/