← back
CVE-2014-0160

CVE-2014-0160

CVSS 7.5 HIGHEPSS 100.0%● KEVCWE-125
In short

OpenSSL's Heartbeat feature has a flaw that lets attackers read sensitive data like private keys directly from server memory by sending specially crafted requests. This is critical because it exposes private encryption keys that should never be shared.

Technical detail

The Heartbeat Extension in OpenSSL 1.0.1 before 1.0.1g contains an out-of-bounds read vulnerability in the heartbeat response mechanism (d1_both.c, t1_lib.c). Remote attackers can trigger a buffer over-read via crafted heartbeat packets without authentication, allowing exfiltration of arbitrary process memory including private keys and other sensitive data.

Summary generated and translated by AI from the official description.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
n/a · n/a
public PoCs found78
githubgithub.com/FiloSottile/Heartbleed2390githubgithub.com/musalbas/heartbleed-masstest574githubgithub.com/titanous/heartbleeder452githubgithub.com/Lekensteyn/pacemaker330githubgithub.com/sensepost/heartbleed-poc170githubgithub.com/einaros/heartbleed-tools98githubgithub.com/mpgn/heartbleed-PoC85githubgithub.com/isgroup/openmagic40githubgithub.com/jdauphant/patch-openssl-CVE-2014-016019githubgithub.com/DisK0nn3cT/MaltegoHeartbleed18githubgithub.com/hmlio/vaas-cve-2014-016015githubgithub.com/OffensivePython/HeartLeak15githubgithub.com/hybridus/heartbleedscanner11githubgithub.com/0x90/CVE-2014-01608githubgithub.com/DominikTo/bleed7githubgithub.com/0xinf0/bleeding_onions6githubgithub.com/undacmic/heartbleed-proof-of-concept5githubgithub.com/anthophilee/A2SV--SSL-VUL-Scan5githubgithub.com/hreese/heartbleed-dtls5githubgithub.com/yryz/heartbleed.js4githubgithub.com/mozilla-services/Heartbleed3githubgithub.com/ingochris/heartpatch.us3githubgithub.com/cyphar/heartthreader2githubgithub.com/amerine/coronary2githubgithub.com/cheese-hub/heartbleed2githubgithub.com/GuillermoEscobero/heartbleed2githubgithub.com/zouguangxian/heartbleed2githubgithub.com/indrajeetmp11/Heartbleed-PoC-Exploit-Script2githubgithub.com/pblittle/aws-suture2githubgithub.com/GardeniaWhite/fuzzing2githubgithub.com/waqasjamal-zz/HeartBleed-Vulnerability-Checker2githubgithub.com/belmind/heartbleed1githubgithub.com/Xyl2k/CVE-2014-0160-Chrome-Plugin1githubgithub.com/Saymeis/HeartBleed1githubgithub.com/proactiveRISK/heartbleed-extention1githubgithub.com/xanas/heartbleed.py1githubgithub.com/sammyfung/openssl-heartbleed-fix1githubgithub.com/xlucas/heartbleed1githubgithub.com/vortextube/ssl_scanner1githubgithub.com/pierceoneill/bleeding-heart0githubgithub.com/obayesshelton/CVE-2014-0160-Scanner0githubgithub.com/fb1h2s/CVE-2014-01600githubgithub.com/takeshixx/ssl-heartbleed.nse0githubgithub.com/roganartu/heartbleedchecker-chrome0githubgithub.com/ice-security88/CVE-2014-01600githubgithub.com/siddolo/knockbleed0githubgithub.com/a0726h77/heartbleed-test0githubgithub.com/idkqh7/heatbleeding0githubgithub.com/GeeksXtreme/ssl-heartbleed.nse0githubgithub.com/indiw0rm/-Heartbleed-0githubgithub.com/iSCInc/heartbleed0githubgithub.com/marstornado/cve-2014-0160-Yunfeng-Jiang0githubgithub.com/froyo75/Heartbleed_Dockerfile_with_Nginx0githubgithub.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC0githubgithub.com/cved-sources/cve-2014-01600githubgithub.com/artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS0githubgithub.com/tomdevman/heartbleed-bug0githubgithub.com/ThanHuuTuan/Heartexploit0githubgithub.com/rouze-d/heartbleed0githubgithub.com/WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed0githubgithub.com/h3x0v3rl0rd/CVE-2014-0160_Heartbleed0githubgithub.com/ArtemCyberLab/Project-Field-Analysis-and-Memory-Leak-Demonstration0githubgithub.com/SimoesCTT/CTT-HEARTBLEED-Temporal-Resonance-Memory-Leak-Exploit-Heartbleed-CVE-2014-01600githubgithub.com/22imer/CVE-2014-01600githubgithub.com/0xBlackash/CVE-2014-01600githubgithub.com/Ryo-Soikutsu/Heartbleed0githubgithub.com/victoriacfigueiredo/heartbleed-lab0githubgithub.com/cbk914/heartbleed-checker0githubgithub.com/MrE-Fog/CVE-2014-0160-Chrome-Plugin0githubgithub.com/timsonner/cve-2014-0160-heartbleed0githubgithub.com/yashfren/CVE-2014-0160-HeartBleed0githubgithub.com/Shayhha/HeartbleedAttack0exploitdbwww.exploit-db.com/exploits/32745unverifiedcve_referencewww.exploit-db.com/exploits/32764unverifiedexploitdbwww.exploit-db.com/exploits/32998unverifiedexploitdbwww.exploit-db.com/exploits/32764unverifiedcve_referencewww.exploit-db.com/exploits/32745unverifiedexploitdbwww.exploit-db.com/exploits/32791unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://advisories.mageia.org/MGASA-2014-0165.htmlhttp://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/http://cogentdatahub.com/ReleaseNotes.htmlhttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f379b0c154650d6c108e9a3http://heartbleed.com/http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html