OpenSSL TLS Heartbeat Vulnerability


A. Summaryheartbleed
[Affected] OpenSSL 1.0.1 through 1.0.1f, OpenSSL 1.0.2-beta
[Overview] A vulnerability in OpenSSL could allow a remote adversary to expose sensitive data, up to 64K chunk in memory
[Impact] High

B. CVE/PoC Code
OpenSSL TLS Heartbeat Extension – Memory Disclosure

C. News and Articles
Millions of Android Devices Vulnerable to Heartbleed Bug
Heartbleed developer explains OpenSSL mistake that put Web at risk

D. Impact
The Heartbleed Hit List: The Passwords You Need to Change Right Now
The heartbleed-masstest results for TOP 1000 sites

E. How it works
Diagnosis of the OpenSSL Heartbleed Bug
How Heartbleed Works: The Code Behind the Internet’s Security Nightmare

F. Fixed/Update
Adding heartbeat extension bounds check

The following is the fixed part to check the validation from line 17-19 before memcpy(bp, pl, payload). (;a=blob_plain;f=ssl/d1_both.c)