⚠ Actively exploited
Added to CISA KEV on 2022-05-04. Federal agencies required to patch by 2022-05-25. Required action: Apply updates per vendor instructions..

CVE-2014-0160

CWE-125Out-of-bounds ReadCWE-200Information ExposureCWE-805CWE-119Buffer Overflow42 documents20 sources
Severity
7.5HIGH
EPSS
94.5%
top < 0.01%
CISA KEV
KEV
Added 2022-05-04
Due 2022-05-25
Exploit
Exploited in wild
Active exploitation observed
Affected products
28
Filezilla-project Filezilla ServerOpenssl OpensslSiemens Elan-8.2+25 more
Timeline
PublishedApr 7
KEV addedMay 4
Latest updateMay 13
KEV dueMay 25
CISA Required Action: Apply updates per vendor instructions.

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages23 packages

NVDopenssl/openssl1.0.11.0.1g
Debianopenssl< 1.0.1g-1+3
NVDsplunk/splunk6.0.06.0.3
NVDsiemens/elan-8.2< 8.3.3

Also affects: Debian Linux 6.0, 7.0, 8.0, Fedora 19, 20, Ubuntu Linux 12.04, 12.10, 13.10, Enterprise Linux 6.5

Patches

Patch: www.oracle.comPatch: www.oracle.comPatch: lists.apache.org

🔴Vulnerability Details

4
GHSA
GHSA-w8r8-w5w4-4w4v: The (1) TLS and (2) DTLS implementations in OpenSSL 12022-05-13
CVEList
CVE-2014-0160: The (1) TLS and (2) DTLS implementations in OpenSSL 12014-04-07
OSV
CVE-2014-0160: The (1) TLS and (2) DTLS implementations in OpenSSL 12014-04-07
VulnCheck
OpenSSL Information Disclosure Vulnerability2014

💥Exploits & PoCs

5
Exploit-DB
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (2) (DTLS Support)2014-04-24
Exploit-DB
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Information Leak (1)2014-04-10
Exploit-DB
OpenSSL 1.0.1f TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure (Multiple SSL/TLS Versions)2014-04-09
Exploit-DB
OpenSSL TLS Heartbeat Extension - 'Heartbleed' Memory Disclosure2014-04-08
Nuclei
OpenSSL Heartbleed Vulnerability

🔍Detection Rules

11
Suricata
ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 4 (Inbound to Common SSL Port)2014-04-15
Suricata
ET EXPLOIT Possible TLS HeartBleed Unencrypted Request Method 3 (Inbound to Common SSL Port)2014-04-15
Suricata
ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Server)2014-04-11
Suricata
ET EXPLOIT Possible OpenSSL HeartBleed Large HeartBeat Response from Common SSL Port (Outbound from Client)2014-04-11
Suricata
ET EXPLOIT TLS HeartBeat Request (Client Initiated) fb set2014-04-09

📋Vendor Advisories

8
CISA
OpenSSL Information Disclosure Vulnerability2022-05-04
Cisco
OpenSSL Heartbeat Extension Vulnerability in Multiple Cisco Products2014-04-09
Cisco
OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerability2014-04-08
BSD
FreeBSD-SA-14:06.openssl: OpenSSL multiple vulnerabilities2014-04-08
Red Hat
openssl: information disclosure in handling of TLS heartbeat extension packets2014-04-07

🕵️Threat Intelligence

4
Unit42
Examining the CHS Breach and Heartbleed Exploitation2014-08-20
Unit42
Examining the CHS Breach and Heartbleed Exploitation2014-08-20
Unit42
8 Tips For Dealing With Heartbleed Right Now2014-04-12
Huntress
CVE-2014-0160 Vulnerability: Analysis, Impact, Mitigation | Huntress

📄Research Papers

3
CTF
tr2-ssl-0day-20 / README2017
CTF
code-name-10 / README2016
CTF
heartbleed_fuzz / README

💬Community

6
Bugzilla
tor: security update2014-05-28
HackerOne
https://concrete5.org ::: HeartBleed Attack (CVE-2014-0160)2014-04-09
Bugzilla
OpenSSL version in Firefox OS builds vulnerable to CVE-2014-0160 ("Heartbleed")2014-04-09
Bugzilla
CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets2014-04-07
Bugzilla
CVE-2014-0160 openssl: information disclosure in handling of TLS heartbeat extension packets [fedora-all]2014-04-07