TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

09/04/14, TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
From: "US-CERT" <US-CERT@ncas.us-cert.gov>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: on@cs.ait.ac.th
Subject: TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
From: "US-CERT" <US-CERT@ncas.us-cert.gov>
Date: Tue, 08 Apr 2014 15:13:37 -0500
Authentication-results: mail.cs.ait.ac.th (amavisd-new); dkim=pass (2048-bit key) header.d=ncas.us-cert.gov
Delivered-to: on@cs.ait.ac.th
Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=ncas.us-cert.gov; s=13q3; i=@ncas.us-cert.gov; h=Content-Transfer-Encoding: Content-Type:x-subscriber2:x-subscriber:X-AccountCode:Errors-To: Reply-To:MIME-Version:Message-ID:X-ReportingKey:Subject:Date:To: From; bh=EbH6x1jgjpjT0CbK+3wXIpg2fhA=; b=ZEoaF3JBOAt4V4trfhTdQm+ 3UHhMYlb78baeI2neEfeTH9lpzxvFrFTcNHiswxnWbJLI9HOhy/WnIZx+KnKP+Tt qijxr0MqIpqoxnaIXHIKwm2HLbWWBB4emo9JDQ9QG1j60wQWz2t1QGkYL5Xl1ZSg Fx8MC471dv1rnPs8+akH1GClUcTAg++EiNrNwGYufn20a4/oWoLiYlvC3b4VIelX i9XXLy0W/zLt5mYNSwXKuBpAsIgip3pVa+fYHR7u1Z/W7RYlFcdvFBHJhM73I7Yr 2goIrXiyowi5r+qoCiYLtgfmCh+N1yaD2HVmgodJ/PpU0fSDP2RzrVqnpuBroUw= =
Reply-to: US-CERT@ncas.us-cert.gov

Title: TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

NCCIC / US-CERT

National Cyber Awareness System:

04/08/2014 08:46 AM EDT

Original release date: April 08, 2014

Systems Affected

  • OpenSSL 1.0.1 through 1.0.1f
  • OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact

This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

References

Revision History

  • Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.


This email was sent to on@cs.ait.ac.th using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery

Previous message sorted by date: TA14-069A: Microsoft Ending Support for Windows XP and Office 2003
Next message sorted by date: TA14-150A: GameOver Zeus P2P Malware
Previous message sorted by thread: TA14-069A: Microsoft Ending Support for Windows XP and Office 2003
Next message by thread: TA14-150A: GameOver Zeus P2P Malware
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jun 2014