OpenSSL TLS Heartbeat Vulnerability

 

A. Summaryheartbleed
[Affected] OpenSSL 1.0.1 through 1.0.1f, OpenSSL 1.0.2-beta
[Overview] A vulnerability in OpenSSL could allow a remote adversary to expose sensitive data, up to 64K chunk in memory
[Impact] High

B. CVE/PoC Code
CVE-2014-0160
US CERT ALERTS
OpenSSL TLS Heartbeat Extension – Memory Disclosure

C. News and Articles
Millions of Android Devices Vulnerable to Heartbleed Bug
Heartbleed developer explains OpenSSL mistake that put Web at risk
xkcd

D. Impact
The Heartbleed Hit List: The Passwords You Need to Change Right Now
The heartbleed-masstest results for TOP 1000 sites

E. How it works
Diagnosis of the OpenSSL Heartbleed Bug
How Heartbleed Works: The Code Behind the Internet’s Security Nightmare

F. Fixed/Update
Adding heartbeat extension bounds check

The following is the fixed part to check the validation from line 17-19 before memcpy(bp, pl, payload). (http://git.openssl.org/gitweb/?p=openssl.git;a=blob_plain;f=ssl/d1_both.c)

Leave a Reply

Your email address will not be published.