Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2014-0160

A vulnerability in the Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) heartbeat functionality in OpenSSL used in multiple Cisco products could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords. Functional code that exploits this vulnerability is available as part of the Metasploit framework. OpenSSL has confirmed the vulnerability and released software updates. An attacker could exploit this vulnerability to access memory from an application that uses an affected version of OpenSSL in chunks of 64k; however, repeated exploitation could allow the attacker to retrieve additional memory to further retrieve sensitive information. However, widespread attacks have not been detected or reported. A secondary impact of the vulnerability, the compromise of certificate secret key information, could allow attackers to decrypt captured network traffic, whether stored or in transit. Attackers also require a privileged position in the network to capture network traffic, increasing the difficulty of leveraging information gained from exploits against the vulnerability. If sites are using SSL certificates for authentication, attackers could use stolen secret keys to impersonate a trusted host, possibly for use as part of phishing or spoofing attacks. CVSS temporal scoring metrics on this vulnerability reflect software products affected by the vulnerability that have no available software updates. Products with available software updates have a reduced temporal score.

Source

Summary

A vulnerability in the Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) heartbeat functionality in OpenSSL used in multiple Cisco products could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server.

The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords.

Functional code that exploits this vulnerability is available as part of the Metasploit framework.

OpenSSL has confirmed the vulnerability and released software updates.

An attacker could exploit this vulnerability to access memory from an application that uses an affected version of OpenSSL in chunks of 64k; however, repeated exploitation could allow the attacker to retrieve additional memory to further retrieve sensitive information. However, widespread attacks have not been detected or reported.

A secondary impact of the vulnerability, the compromise of certificate secret key information, could allow attackers to decrypt captured network traffic, whether stored or in transit. Attackers also require a privileged position in the network to capture network traffic, increasing the difficulty of leveraging information gained from exploits against the vulnerability.

If sites are using SSL certificates for authentication, attackers could use stolen secret keys to impersonate a trusted host, possibly for use as part of phishing or spoofing attacks.

CVSS temporal scoring metrics on this vulnerability reflect software products affected by the vulnerability that have no available software updates. Products with available software updates have a reduced temporal score.

Affected Products

OpenSSL.org has released a security advisory at the following link: CVE-2014-0160

ABB has released a security advisory at the following link: ABB Doc ID - 1MRG016193

Apple has released a security advisory at the following link: HT6203

Atvise has released a security advisory at the following link: Patch OpenSSL

BlackBerry has released a security notice at the following link: KB35882

Blue Coat has released a security advisory at the following link: SA79

CA has released a security notice at the following link: CA20140413-01

Cisco has released a security advisory at the following link: cisco-sa-20140409-heartbleed. Cisco has also released a blog post to address the vulnerability relating to Cisco products at the following link: Cisco products and mitigations

Digi has released a security advisory at the following link: CVE-2014-0160

FreeBSD has released a VuXML document at the following link: OpenSSL -- Multiple vulnerabilities - private data exposure. FreeBSD has also released a security advisory at the following link: FreeBSD-SA-14:06.openssl

HP has released security bulletins c04236102, c04239374, c04240206, c04250814, c04255796, c04260456, c04260505, c04260353, c04267775, c04264271, c04263236, c04273303 and c04264595 at the following links: HPSBMU02995 rev.2, HPSBMU02999 SSRT101505, HPSBST03001 SSRT101506, HPSBGN03010 SSRT101517, HPSBMU03012 SSRT101504, HPSBMU03017 SSRT101528, HPSBMU03018 SSRT101529, HPSBMU03019 SSRT101530, HPSBMU03025 SSRT101539, HPSBMU03023 SSRT101535, HPSBMU03022 SSRT101527, HPSBST03027 SSRT101537, and HPSBST03004 SSRT101514

IBM has released a security bulletin at the following link: AIX OpenSSL Heartbleed Vulnerability CVE-2014-0160

ICS-CERT has released security advisories at the following links: ICSA-14-114-01, ICSA-14-105-03A, ICSA-14-128-01, ICSA-14-135-02, ICSA-14-135-04, and ICSA-14-126-01A

Juniper Networks has released a security bulletin at the following link: JSA10623

Microsoft has released a security advisory at the following link: 2962393

Oracle has released a security bulletin at the following link: OpenSSL Security Bug - Heartbleed / CVE-2014-0160

Red Hat has released an official CVE statement and security advisories for bug 1084875 at the following links: CVE-2014-0160, RHSA-2014:0376, RHSA-2014:0377, RHSA-2014:0378, RHSA-2014:0396, and RHSA-2014:0416.

Siemens has released a security advisory at the following link: SSA-635659

Unified Automation has released a security advisory at the following link: Heartbleed Bug in OpenSSL

US-CERT has released a vulnerability note at the following link: VU#720951

VMware has released a Knowledge Base article and a security advisory at the following links: KB: 2076225 and VMSA-2014-0004

Vulnerable Products

OpenSSL versions 1.0.1 through 1.0.1f are vulnerable.

Products Confirmed Not Vulnerable

No other Cisco products are currently known to be affected by these vulnerabilities.

Workarounds

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators may consider disabling OpenSSL heartbeat support by recompiling OpenSSL with the -DOPENSSL_NO_HEARTBEATS flag.

Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

Administrators are advised to monitor affected systems.

Fixed Software

OpenSSL.org has released an updated version at the following link: OpenSSL 1.0.1g

ABB customers could obtain software patches and installation support from their local ABB customer support channels.

Apple has released software updates at the following link: Airport Base Station Firmware 7.7.3

Atvise has released updated software at the following link: Heartbleed Bug

Blue Coat has released a patch for registered users at the following link: ProxySG 6.5.3.6 and later

CA has released software updates at the following links:

CA ARCserve D2D for Windows 16.5
RO69431
CA ARCserve D2D for Linux 16.5
RO69417
CA ARCserve Replication and High Availability 16.5
RI69547
CA ecoMeter 3.1 and CA eHealth 6.3.0.05 - 6.3.1.01 for
Windows: RO69554
Linux: RO69556
Solaris: RO69555
CA ecoMeter 4.0, 4.1 and 4.2 and CA eHealth 6.3.1.02 - 6.3.2.04 for
Windows: RO69442
Linux: RO69443
Solaris: RO69444

CentOS packages can be updated using the up2date or yum command.

Digi has released software fixes in the github repository, and instructions for this update are at the following link: Digi Embedded Yocto 1.4

FreeBSD has released ports collection updates at the following link: Ports Collection Index. FreeBSD has also released patches to mitigate this vulnerability. Details on installing the patches are describe in the vendor's security advisory located in the "Vendor Announcements" section.

HP has released updated software at the following link: CVE-2014-0160

HP has released software updates and described additional steps in the vendor advisory for registered customers running HP Autonomy WorkSite Server at the following link: iManage WorkSite

HP has released remediation guidelines and described additional steps in the vendor advisory for registered customers running HP Server Automation at the following link: SA_Alert_Heartbleed_Vulnerability

HP has released patches available via normal HP Services support channels.

IBM has released software fixes at the following FTP link: openssl_ifix7. Additional instructions are needed after applying the patch; these are located in the vendor's security bulletin.

Juniper Networks has released software updates for registered users at the following link: SSL VPN 8.0R3.1 and 7.4R9.1

Microsoft customers can obtain updates directly by using the links in the security bulletin. These updates are also distributed by Windows automatic update features and available on the Microsoft Update service. Microsoft Windows Server Update Services (WSUS), Systems Management Server, and System Center Configuration Manager can assist administrators in deploying software updates.

Oracle has released software patches for affected products outlined in the vendor advisory for registered customers at the following link: Oracle

Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

Siemens customers are advised to acquire the firmware update, eLAN version 8.3.3, and WinCC OA version 3.12-P006 via normal Siemens support channels.

Tableau Software has released software updates at the following link: Tableau Alternate Download Site

Unified Automation customers are advised to download OpenSSL 1.0.1g and recompile the SDK and affected server.

VMware has released a patch and instructions for installing the patch in a security advisory about critical updates to vFabric Web Server at the following link: vFabric Web Server

Exploitation and Public Announcements

The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.

Cisco Security Vulnerability Policy

To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Revision History

Version	Description	Section	Status	Date
21.0	CA has released a security notice and updated software to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-May-19
20.0	ICS-CERT has released additional security advisories to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability. Tableau Software has released software updates and Unified Automation has released a security advisory and mitigation steps to address the vulnerability.	NA	Final	2014-May-16
19.0	ICS-CERT has released an additional security advisory to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability. Digi has also released a security advisory and updated software to address this vulnerability.	NA	Final	2014-May-09
18.0	Siemens has released a security advisory and updated packages to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability. ICS-CERT has also released a security advisory to address this vulnerability.	NA	Final	2014-May-07
17.0	Microsoft has released a security advisory and software updates to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-May-06
16.0	HP has released additional security advisories and updated software to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-May-05
15.0	HP has released additional security bulletins and remediation steps to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-28
14.0	ICS-CERT has released a security advisory to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-25
13.0	Apple and Oracle have released security advisories and updated software to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-24
12.0	HP has released additional security bulletins and updated software to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-23
11.0	HP has released an additional security bulletin to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-21
10.0	HP has released an additional security bulletin and remediation steps to address the OpenSSL heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-18
9.0	Red Hat has released an additional security advisory and updated packages to address the OpenSSL heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-18
8.0	HP has released additional security bulletins and updated software to address the OpenSSL heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-17
7.0	VMware has released an additional security advisory and updated software to address the OpenSSL heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-15
6.0	BlackBerry, IBM, Red Hat, VMware, and HP have released security advisories and software updates to address the OpenSSL heartbeat information disclosure vulnerability. Functional exploit code that exploits this vulnerability is also publicly available.	NA	Final	2014-Apr-14
5.0	Blue Coat has released a security advisory and software updates to address the OpenSSL heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-10
4.0	Additional information is available related to the OpenSSL heartbeat information disclosure vulnerability.	NA	Final	2014-Apr-09
3.0	FreeBSD and Juniper Networks have released security advisories and software updates to address the OpenSSL heartbeat information disclosure vulnerability. Cisco has also released a security advisory and blog post to address the vulnerability.	NA	Final	2014-Apr-09
2.0	Proof-of-concept code that exploits the OpenSSL heartbeat information disclosure vulnerability is publicly available.	NA	Final	2014-Apr-08
1.0	OpenSSL contains a vulnerability that could allow an unauthenticated, remote attacker to gain access to sensitive information. Updates are available.	NA	Final	2014-Apr-08

Show Complete History...

Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.

Feedback

Leave additional feedback

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

OpenSSL TLS/DTLS Heartbeat Information Disclosure Vulnerability

Summary

Affected Products

Vulnerable Products

Products Confirmed Not Vulnerable

Workarounds

Fixed Software

Exploitation and Public Announcements

Cisco Security Vulnerability Policy

Subscribe to Cisco Security Notifications

Action Links for This Advisory

Related to This Advisory

URL

Revision History

Legal Disclaimer

Feedback

Vulmon Search

About

Products

Connect