← voltar
CVE-2014-0160

CVE-2014-0160

CVSS 7.5 HIGHEPSS 100.0%● KEVCWE-125
Em resumo

A função Heartbeat do OpenSSL tem uma falha que permite que atacantes leiam dados sensíveis, como chaves privadas, diretamente da memória do servidor através de requisições especialmente preparadas. Isso é crítico porque expõe as chaves de criptografia privadas que nunca deveriam ser compartilhadas.

Detalhe técnico

A extensão Heartbeat no OpenSSL 1.0.1 anterior à versão 1.0.1g contém uma vulnerabilidade de leitura fora dos limites da memória (buffer over-read) nos arquivos d1_both.c e t1_lib.c. Atacantes remotos podem disparar essa leitura excessiva através de pacotes heartbeat manipulados, sem necessidade de autenticação, permitindo exfiltração de memória do processo, incluindo chaves privadas.

Resumo gerado e traduzido por IA a partir da descrição oficial.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Produtos afetados
n/a · n/a
PoCs públicas encontradas78
githubgithub.com/FiloSottile/Heartbleed2390githubgithub.com/musalbas/heartbleed-masstest574githubgithub.com/titanous/heartbleeder452githubgithub.com/Lekensteyn/pacemaker330githubgithub.com/sensepost/heartbleed-poc170githubgithub.com/einaros/heartbleed-tools98githubgithub.com/mpgn/heartbleed-PoC85githubgithub.com/isgroup/openmagic40githubgithub.com/jdauphant/patch-openssl-CVE-2014-016019githubgithub.com/DisK0nn3cT/MaltegoHeartbleed18githubgithub.com/hmlio/vaas-cve-2014-016015githubgithub.com/OffensivePython/HeartLeak15githubgithub.com/hybridus/heartbleedscanner11githubgithub.com/0x90/CVE-2014-01608githubgithub.com/DominikTo/bleed7githubgithub.com/0xinf0/bleeding_onions6githubgithub.com/undacmic/heartbleed-proof-of-concept5githubgithub.com/anthophilee/A2SV--SSL-VUL-Scan5githubgithub.com/hreese/heartbleed-dtls5githubgithub.com/yryz/heartbleed.js4githubgithub.com/mozilla-services/Heartbleed3githubgithub.com/ingochris/heartpatch.us3githubgithub.com/cyphar/heartthreader2githubgithub.com/amerine/coronary2githubgithub.com/cheese-hub/heartbleed2githubgithub.com/GuillermoEscobero/heartbleed2githubgithub.com/zouguangxian/heartbleed2githubgithub.com/indrajeetmp11/Heartbleed-PoC-Exploit-Script2githubgithub.com/pblittle/aws-suture2githubgithub.com/GardeniaWhite/fuzzing2githubgithub.com/waqasjamal-zz/HeartBleed-Vulnerability-Checker2githubgithub.com/belmind/heartbleed1githubgithub.com/Xyl2k/CVE-2014-0160-Chrome-Plugin1githubgithub.com/Saymeis/HeartBleed1githubgithub.com/proactiveRISK/heartbleed-extention1githubgithub.com/xanas/heartbleed.py1githubgithub.com/sammyfung/openssl-heartbleed-fix1githubgithub.com/xlucas/heartbleed1githubgithub.com/vortextube/ssl_scanner1githubgithub.com/pierceoneill/bleeding-heart0githubgithub.com/obayesshelton/CVE-2014-0160-Scanner0githubgithub.com/fb1h2s/CVE-2014-01600githubgithub.com/takeshixx/ssl-heartbleed.nse0githubgithub.com/roganartu/heartbleedchecker-chrome0githubgithub.com/ice-security88/CVE-2014-01600githubgithub.com/siddolo/knockbleed0githubgithub.com/a0726h77/heartbleed-test0githubgithub.com/idkqh7/heatbleeding0githubgithub.com/GeeksXtreme/ssl-heartbleed.nse0githubgithub.com/indiw0rm/-Heartbleed-0githubgithub.com/iSCInc/heartbleed0githubgithub.com/marstornado/cve-2014-0160-Yunfeng-Jiang0githubgithub.com/froyo75/Heartbleed_Dockerfile_with_Nginx0githubgithub.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC0githubgithub.com/cved-sources/cve-2014-01600githubgithub.com/artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS0githubgithub.com/tomdevman/heartbleed-bug0githubgithub.com/ThanHuuTuan/Heartexploit0githubgithub.com/rouze-d/heartbleed0githubgithub.com/WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed0githubgithub.com/h3x0v3rl0rd/CVE-2014-0160_Heartbleed0githubgithub.com/ArtemCyberLab/Project-Field-Analysis-and-Memory-Leak-Demonstration0githubgithub.com/SimoesCTT/CTT-HEARTBLEED-Temporal-Resonance-Memory-Leak-Exploit-Heartbleed-CVE-2014-01600githubgithub.com/22imer/CVE-2014-01600githubgithub.com/0xBlackash/CVE-2014-01600githubgithub.com/Ryo-Soikutsu/Heartbleed0githubgithub.com/victoriacfigueiredo/heartbleed-lab0githubgithub.com/cbk914/heartbleed-checker0githubgithub.com/MrE-Fog/CVE-2014-0160-Chrome-Plugin0githubgithub.com/timsonner/cve-2014-0160-heartbleed0githubgithub.com/yashfren/CVE-2014-0160-HeartBleed0githubgithub.com/Shayhha/HeartbleedAttack0exploitdbwww.exploit-db.com/exploits/32745não verificadocve_referencewww.exploit-db.com/exploits/32764não verificadoexploitdbwww.exploit-db.com/exploits/32998não verificadoexploitdbwww.exploit-db.com/exploits/32764não verificadocve_referencewww.exploit-db.com/exploits/32745não verificadoexploitdbwww.exploit-db.com/exploits/32791não verificado
⚠ Recursos públicos, para você avaliar a exposição de sistemas que controla ou está autorizado a testar. Teste apenas com autorização.

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
http://advisories.mageia.org/MGASA-2014-0165.htmlhttp://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/http://cogentdatahub.com/ReleaseNotes.htmlhttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f379b0c154650d6c108e9a3http://heartbleed.com/http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html