CVE-2014-0160 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2014-0160?

CVE-2014-0160 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-0160?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Filezilla-Project Filezilla Server, Siemens Application Processing Engine Firmware, Siemens Application Processing Engine, Siemens Cp 1543-1 Firmware.

Vulnerability Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Openssl	Openssl	>= 1.0.1, < 1.0.1g
Filezilla-Project	Filezilla Server	< 0.9.44
Siemens	Application Processing Engine Firmware	2.0
Siemens	Application Processing Engine	-
Siemens	Cp 1543-1 Firmware	1.1
Siemens	Cp 1543-1	-
Siemens	Simatic S7-1500 Firmware	1.5
Siemens	Simatic S7-1500	-
Siemens	Simatic S7-1500T Firmware	1.5
Siemens	Simatic S7-1500T	-
Siemens	Elan-8.2	< 8.3.3
Siemens	Wincc Open Architecture	3.12
Intellian	V100 Firmware	1.20
Intellian	V100	-
Intellian	V60 Firmware	1.15
Intellian	V60	-
Mitel	Micollab	6.0
Mitel	Mivoice	1.1.2.5
Opensuse	Opensuse	12.3
Canonical	Ubuntu Linux	12.04

Related Weaknesses (CWE)

CWE-125

References

http://advisories.mageia.org/MGASA-2014-0165.htmlThird Party Advisory
http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/Issue TrackingThird Party Advisory
http://cogentdatahub.com/ReleaseNotes.htmlRelease Notes
http://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01Broken Link
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f37Broken Link
http://heartbleed.com/Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.htmlBroken LinkThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.htmlBroken LinkThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2014-04/msg00061.htmlMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=139722163017074&w=2Mailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=139757726426985&w=2Mailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=139757819327350&w=2Mailing ListThird Party Advisory

FAQ

What is CVE-2014-0160?

CVE-2014-0160 is a vulnerability with a CVSS score of 7.5 (HIGH). The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process m...

How severe is CVE-2014-0160?

CVE-2014-0160 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-0160?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Filezilla-Project Filezilla Server, Siemens Application Processing Engine Firmware, Siemens Application Processing Engine, Siemens Cp 1543-1 Firmware.