CVE-2014-0160

Scores

EPSS

0.945High94.5%
0%20%40%60%80%100%

Percentile: 94.5%

CVSS

7.5High3.x
0246810

CVSS Score: 7.5/10

All CVSS Scores

CVSS 3.x
7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0
5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Scaner-VS 7 — a modern vulnerability management solution

Uses this database for vulnerability detection. High-speed search, cross-platform, advanced configuration audit, and flexible filtering. Suitable for organizations of any size.
Learn more about Scaner-VS 7

Sources

debiannvdredhat

CWEs

CWE-125CWE-130

Related Vulnerabilities

Exploits

Exploit ID: CVE-2014-0160

Source: cisa

URL: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Exploit ID: 32745

Source: exploitdb

URL: https://www.exploit-db.com/exploits/32745

Exploit ID: 32764

Source: exploitdb

URL: https://www.exploit-db.com/exploits/32764

Exploit ID: 32791

Source: exploitdb

URL: https://www.exploit-db.com/exploits/32791

Exploit ID: 32998

Source: exploitdb

URL: https://www.exploit-db.com/exploits/32998

Recommendations

Source: nvd

Apply an updateThis issue is addressed in OpenSSL 1.0.1g. Please contact your software vendor to check for availability of updates. Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items. Old keys should be revoked.Reports indicate that the use of mod_spdy can prevent the updated OpenSSL library from being utilized, as mod_spdy uses its own copy of OpenSSL. Please see https://code.google.com/p/mod-spdy/issues/detail?id=85 for more details.Disable OpenSSL heartbeat supportThis issue can be addressed by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag. Software that uses OpenSSL, such as Apache or Nginx would need to be restarted for the changes to take effect.Use Perfect Forward Secrecy (PFS)PFS can help minimize the damage in the case of a secret key leak by making it more difficult to decrypt already-captured network traffic. However, if a ticket key is leaked, then any sessions that use that ticket could be compromised. Ticket keys may only be regenerated when a web server is restarted.

URL: http://www.kb.cert.org/vuls/id/720951

Source: nvd

This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258
To upgrade Hypervisors in Red Hat Enterprise Virtualization environmentsusing the disk image provided by this package, refer to:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Enterprise_Virtualization_Hypervisors.html

URL: http://rhn.redhat.com/errata/RHSA-2014-0396.html

Source: nvd

This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258
To upgrade Hypervisors in Red Hat Enterprise Virtualization environmentsusing the disk image provided by this package, refer to:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Hypervisor_Deployment_Guide/chap-Deployment_Guide-Upgrading_Red_Hat_Enterprise_Virtualization_Hypervisors.html

URL: http://rhn.redhat.com/errata/RHSA-2014-0378.html

Source: nvd

Before applying this update, make sure all previously released erratarelevant to your system have been applied.
This update is available via the Red Hat Network. Details on how touse the Red Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258

URL: http://rhn.redhat.com/errata/RHSA-2014-0377.html

Source: nvd

Before applying this update, make sure all previously released erratarelevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258

URL: http://rhn.redhat.com/errata/RHSA-2014-0376.html

Vulnerable Software (35)

Type: Configuration

Product: openssl

Operating System: debian squeeze 6

Trait:
{
  "unaffected": true
}

Source: debian

Type: Configuration

Product: openssl

Operating System: debian

Trait:
{
  "fixed": "1.0.1g-1"
}

Source: debian

Type: Configuration

Product: openssl

Operating System: rhel

Trait:
{
  "fixed": "1.0.1e-16.el6_5.7"
}

Source: redhat

Type: Configuration

Product: openssl

Operating System: rhel 6

Trait:
{
  "fixed": "1.0.1e-16.el6_5.7"
}

Source: redhat

Type: Configuration

Product: rhev-hypervisor6

Operating System: rhel 6

Trait:
{
  "fixed": "6.5-20140407.0.el6ev"
}

Source: redhat

Type: Configuration

Product: rhev-hypervisor6

Operating System: rhel 6

Trait:
{
  "fixed": "6.5-20140118.1.3.2.el6_5"
}

Source: redhat

Type: Configuration

Product: spice-client-msi

Operating System: rhel

Trait:
{
  "fixed": "3.3-12"
}

Source: redhat

Type: Configuration

Vendor: broadcom

Product: symantec_messaging_gateway

Operating System: * * *

Trait:
{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:a:broadcom:symantec_messaging_gateway:10.6.0:*:*:*:*:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:a:broadcom:symantec_me...

Source: nvd

Type: Configuration

Vendor: canonical

Product: ubuntu_linux

Operating System: * * *

Trait:
{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*...

Source: nvd

Type: Configuration

Vendor: debian

Product: debian_linux

Operating System: * * *

Trait:
{
  "cpe_match": [
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*",
      "vulnerable": true
    },
    {
      "cpe23uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",...

Source: nvd