Upload File

the heartbleed bug: openssl heartbeat vulnerability security advisory

  • Home
  • Technology
  • The Heartbleed Bug: OpenSSL Heartbeat Vulnerability Security Advisory
2
Security Advisory: OpenSSL Heartbeat vulnerability CVE- 2014-0160 Date: April 9, 2014 Page - 1 - Security Advisory: Vulnerability OpenSSL CVE-2014-0160 Vulnerability description The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over- read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug. More details can be found at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 Vulnerability exposure The impact of the vulnerability depends on the actual OpenSSL version in use. Radware investigated and can report that: The following products are not vulnerable to CVE-2014-0160: o Products that do not use the vulnerable OpenSSL versions for any purpose (SSL offloading or management) and in any product platform or version. Alteon Application Switch AppDirector DefensePro LinkProof CID AppXcel APSolute Vision APSolute Insite ManagePro vDirect SIP Director o Inflight

Upload: radware

Post on 20-Aug-2015

402 views

Category:

Technology


0 download

Report

TRANSCRIPT

Page 1: The Heartbleed Bug: OpenSSL Heartbeat Vulnerability Security Advisory

Security Advisory: OpenSSL Heartbeat vulnerability CVE-

2014-0160 Date: April 9, 2014

Page - 1 -

Security Advisory: Vulnerability OpenSSL CVE-2014-0160

Vulnerability description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

More details can be found at:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Vulnerability exposure

The impact of the vulnerability depends on the actual OpenSSL version in use.

Radware investigated and can report that:

The following products are not vulnerable to CVE-2014-0160:

o Products that do not use the vulnerable OpenSSL versions for any purpose (SSL offloading or management) and in any product platform or version.

Alteon Application Switch

AppDirector

DefensePro

LinkProof

CID

AppXcel

APSolute Vision

APSolute Insite ManagePro

vDirect

SIP Director

o Inflight

https://blog.torproject.org/blog/openssl-bug-cve-2014-0160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Page 2: The Heartbleed Bug: OpenSSL Heartbeat Vulnerability Security Advisory

Security Advisory: OpenSSL Heartbeat vulnerability CVE-

2014-0160 Date: April 9, 2014

Page - 2 -

Latest Inflight version, 4.3.0 uses OpenSSL 1.0.1f, but only its decryption routines such as RSA and RC4. Inflight performs only passive capture, thus it does not use any of OpenSSL’s connection establishment or TLS heartbeat routines so it is not vulnerable to this problem.

Management and feeds are Java based and not vulnerable

The following products were found to be exposed to the vulnerability:

o FastView version 5.0 and up - A fix is already available. Please contact Radware Technical Support for more details. The software package will be available on Radware’s Customer Portal in a few days.

Older versions are not vulnerable.

o AppWall version 5.7 and up – Version 5.8.2 that fixes this issue is already available.

Older versions are not vulnerable.

For any additional questions in regards to this statement, please approach Radware Support.

For details on the supported Open SSL versions per product please see Radware Knowledgebase Article 2390.

http://kb.radware.com/questions/2390/
http://kb.radware.com/questions/2390/

UEFI Firmware - Security Best Practices · Even widely-accepted “safe” code can be found vulnerable OpenSSL 1.0.1 through 1.0.1f (Heartbleed) Systems rarely use the most current

Heartbleed TLS Heartbeat Protocol...• Failure of the OpenSSL library to validate the heartbeat packet length field (as compared to the size of the actual message). • Heartbeat

Heartbleed Debugged – OpenSSL & CVE-2014-0160 · 2017. 10. 12. · RSA, DSA, Diffie–Hellman Schlüsseltausch, Elliptic curve, GOST R 34.10-2001 minimale Certificate Authority

Analyse von IT Sicherheitsproblemenubicomp/projekte/master2015... · [9] Hao et al., 2014, OpenSSL HeartBleed: Security Management of Implements of Basic Protocols, P2P, Parallel,

HEARTBLEED ATTACK

SSL/TLS : Faille Heartbleed

Reverse heartbleed

Open ssl heartbleed

Jean-François (Jeff) AUDENARD – CyberSecurity Advisor – Orange Business Services faille OpenSSL Heartbleed 8es Rencontres de l’ARCSI Toulouse 13 Juin 2014

Trend Micro GO BEYOND NEXT-GEN IPS WITH XGEN...Page 1 of 4 • SOLUTION BRIEF • GO BEYOND NEXT-GEN IPS WITH XGEN Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic

faille OpenSSL Heartbleed

Analysis of SSL Certificate Reissues and Revocations in the ...tdumitra/papers/IMC-2014.pdf · iment. In mid-April 2014, an OpenSSL security vulnera-bility, Heartbleed, made it possible

The Heartbleed Hit List

Programming with OpenSSL and libcrypto in examplessyrinx/presentations/openssl/OpenSSL... · Programming with OpenSSL and libcrypto in examples BurgasLab, Burgas April, 2014 Shteryana

image: Marsmettnn Tallahassee Heartbleed & staying …findhorn.cc/wp-content/uploads/2014/11/WPFH-security-heartbleed... · Heartbleed & staying secure online ... April 2014, by Mark

The Bad-Attitude Guide to Computer Security · Security holes in Mosh’s lifetime TLS: I goto fail (Secure Transport) I GnuTLS verify (GnuTLS) I Heartbleed (OpenSSL) I Lucky Thirteen

Sullivan heartbleed-defcon22 2014

PHP Credits Configuration - · PDF filemysqli.max_links Unlimited Unlimited mysqli.reconnect Off Off openssl OpenSSL support enabled OpenSSL Version OpenSSL 0.9.8e-fips-rhel5 01 Jul

Torturing OpenSSL

Cryptsoft , OpenSSL Team OpenSSL after HeartBleed · SESSION ID: #RSAC Rich Salz. OpenSSL after HeartBleed. PDAC-T10R. Akamai Technologies, OpenSSL Team. Tim Hudson. Cryptsoft , OpenSSL

ΕΠΛ 682: Προχωρημένα Θέματα Ασυάλειας · HEARTBLEED TIMELINE 21 /03 Neel Mehta of Google discovers Heartbleed 21/03 Google patches OpenSSL on their servers

HeartBleed - Vysoké učení technické v Brněbuslab.fit.vutbr.cz/.../2015/stud_prezentace/HeartBleed.pdfCVE-2014-0160 HEARTBLEED BUG [1] Heartbleed bug bola chyba v kryptovacej kižici

The Heartbleed Bug

OpenSSL Security Fix in This Release - Polycom · 4.0.2.2 April 2014 Correction for the Heartbleed OpenSSL Security Vulnerability in third-party software. 4.0.2 March 2013 Adds support

AT&T Heartbleed Response (OpenSSL Brief) Adam Jones - CISM, CGEIT, CISSP, 6 σ GB ITO Global Infrastructure Operations July 24, 2014 © 2014 AT&T Intellectual

The Heartbleed Bug A vulnerability in the OpenSSL Cryptographic Library

Detection of Heartbleed at CESNET Using Extended Flow Data · 2014. 7. 10. · Detection module •Receives record with heartbeat data •Uses 4 heuristics to detect Heartbleed attack:

Changes openssl

Tomcat openssl

Heartbleed Nedir?

Report on Heartbleed

ANALISIS KEAMANAN ATAS SERANGAN HEARTBLEED …eprints.ums.ac.id/36045/1/Publikasi.pdfKeywords: Android, Client, Heartbleed, Heartbleed Detector, Heartbleed Scanner, Heartbleed Script,

OpenSSL after HeartBleed• 11/08/13: added new OE: Linux 3.4 64-bit under Citrix XenServer running on Intel Xeon E5-2430L (x86) without AES-NI (gcc Compiler Version 4.8.0); Linux

DrupalGov2014 Heartbleed

Heartbleed Bug Infographic