Overview
• Platform and Vulnerable Versions: Affects all platforms running impacted versions of OpenSSL.
• Type of Vulnerability: Sensitive data leakage via RAM memory.
• Risk Severity (CVSSv3): High, with a CVSS score of 7.5.
• Cause: A coding bug within the OpenSSL library.
Technical Description
The Heartbleed vulnerability (CVE-2014-0160) is a critical flaw in the OpenSSL cryptographic library, enabling attackers to read system memory and potentially retrieve private cryptographic keys.
Vulnerability Details
This vulnerability allows an attacker to exploit a flaw in OpenSSL’s heartbeat function by sending a crafted request to the server, prompting a response that leaks memory contents. Due to a failure in validating request lengths, the vulnerable server responds to the request by randomly reading up to 64 KB of memory and returning it to the attacker.
During an attack, up to 64 KB of memory associated with Transport Layer Security (TLS) sessions is disclosed to the attacker. If repeated, this action may expose sensitive data, including usernames, passwords, administrative credentials, user data, and session cookies.
By exploiting this flaw, attackers can intercept data encrypted by SSL/TLS. Until the vulnerable version of OpenSSL is replaced, any server running it remains susceptible to data theft during secure communications.
Vulnerable Versions
All operating systems with vulnerable OpenSSL versions, notably the following default installs, are affected:
• OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
• Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
• Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
• FreeBSD 10.0, OpenSSL 1.0.1e 11 Feb 2013
• OpenSUSE 12.2 (OpenSSL 1.0.1c)
• CentOS 6.5, OpenSSL 1.0.1e-15
• Fedora 18, OpenSSL 1.0.1e-4
• NetBSD 5.0.2 (OpenSSL 1.0.1e)
How to patch the vulnerability
✔️ This vulnerability is patched in OpenSSL from version 1.0.1g and later.