A vulnerability in the Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) heartbeat functionality in OpenSSL used in multiple Cisco products could allow an unauthenticated, remote attacker to retrieve memory in chunks of 64 kilobytes from a connected client or server. The vulnerability is due to a missing bounds check in the handling of the TLS heartbeat extension. An attacker could exploit this vulnerability by implementing a malicious TLS or DTLS client, if trying to exploit the vulnerability on an affected server, or a malicious TLS or DTLS server, if trying to exploit the vulnerability on an affected client. The attacker could then send a specially-crafted TLS or DTLS heartbeat packet to the connected client or server. An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server for every heartbeat packet sent. The disclosed portions of memory could contain sensitive information that may include private keys and passwords. Functional code that exploits this vulnerability is available as part of the Metasploit framework. OpenSSL has confirmed the vulnerability and released software updates. An attacker could exploit this vulnerability to access memory from an application that uses an affected version of OpenSSL in chunks of 64k; however, repeated exploitation could allow the attacker to retrieve additional memory to further retrieve sensitive information. However, widespread attacks have not been detected or reported. A secondary impact of the vulnerability, the compromise of certificate secret key information, could allow attackers to decrypt captured network traffic, whether stored or in transit. Attackers also require a privileged position in the network to capture network traffic, increasing the difficulty of leveraging information gained from exploits against the vulnerability. If sites are using SSL certificates for authentication, attackers could use stolen secret keys to impersonate a trusted host, possibly for use as part of phishing or spoofing attacks. CVSS temporal scoring metrics on this vulnerability reflect software products affected by the vulnerability that have no available software updates. Products with available software updates have a reduced temporal score.
CA ARCserve D2D for Windows 16.5CentOS packages can be updated using the up2date or yum command.
RO69431
CA ARCserve D2D for Linux 16.5
RO69417
CA ARCserve Replication and High Availability 16.5
RI69547
CA ecoMeter 3.1 and CA eHealth 6.3.0.05 - 6.3.1.01 for
Windows: RO69554
Linux: RO69556
Solaris: RO69555
CA ecoMeter 4.0, 4.1 and 4.2 and CA eHealth 6.3.1.02 - 6.3.2.04 for
Windows: RO69442
Linux: RO69443
Solaris: RO69444
The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory.
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Version | Description | Section | Status | Date |
21.0 | CA has released a security notice and updated software to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability. | NA | Final | 2014-May-19 |
20.0 | ICS-CERT has released additional security advisories to address the OpenSSL TLS/DTLS heartbeat information disclosure vulnerability. Tableau Software has released software updates and Unified Automation has released a security advisory and mitigation steps to address the vulnerability. | NA | Final | 2014-May-16 |
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.