← volver
CVE-2014-0160

CVE-2014-0160

CVSS 7.5 HIGHEPSS 100.0%● KEVCWE-125
En resumen

La función Heartbeat de OpenSSL tiene un fallo que permite a atacantes leer datos sensibles, como claves privadas, directamente de la memoria del servidor mediante solicitudes especialmente elaboradas. Esto es crítico porque expone las claves de cifrado privadas que nunca deberían compartirse.

Detalle técnico

La extensión Heartbeat en OpenSSL 1.0.1 anterior a 1.0.1g contiene una vulnerabilidad de lectura fuera de límites (buffer over-read) en los archivos d1_both.c y t1_lib.c. Los atacantes remotos pueden desencadenar esta lectura excesiva mediante paquetes heartbeat manipulados, sin requerir autenticación, permitiendo la exfiltración de memoria del proceso, incluyendo claves privadas.

Resumen generado y traducido por IA a partir de la descripción oficial.
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Productos afectados
n/a · n/a
PoCs públicas encontradas78
githubgithub.com/FiloSottile/Heartbleed2390githubgithub.com/musalbas/heartbleed-masstest574githubgithub.com/titanous/heartbleeder452githubgithub.com/Lekensteyn/pacemaker330githubgithub.com/sensepost/heartbleed-poc170githubgithub.com/einaros/heartbleed-tools98githubgithub.com/mpgn/heartbleed-PoC85githubgithub.com/isgroup/openmagic40githubgithub.com/jdauphant/patch-openssl-CVE-2014-016019githubgithub.com/DisK0nn3cT/MaltegoHeartbleed18githubgithub.com/hmlio/vaas-cve-2014-016015githubgithub.com/OffensivePython/HeartLeak15githubgithub.com/hybridus/heartbleedscanner11githubgithub.com/0x90/CVE-2014-01608githubgithub.com/DominikTo/bleed7githubgithub.com/0xinf0/bleeding_onions6githubgithub.com/undacmic/heartbleed-proof-of-concept5githubgithub.com/anthophilee/A2SV--SSL-VUL-Scan5githubgithub.com/hreese/heartbleed-dtls5githubgithub.com/yryz/heartbleed.js4githubgithub.com/mozilla-services/Heartbleed3githubgithub.com/ingochris/heartpatch.us3githubgithub.com/cyphar/heartthreader2githubgithub.com/amerine/coronary2githubgithub.com/cheese-hub/heartbleed2githubgithub.com/GuillermoEscobero/heartbleed2githubgithub.com/zouguangxian/heartbleed2githubgithub.com/indrajeetmp11/Heartbleed-PoC-Exploit-Script2githubgithub.com/pblittle/aws-suture2githubgithub.com/GardeniaWhite/fuzzing2githubgithub.com/waqasjamal-zz/HeartBleed-Vulnerability-Checker2githubgithub.com/belmind/heartbleed1githubgithub.com/Xyl2k/CVE-2014-0160-Chrome-Plugin1githubgithub.com/Saymeis/HeartBleed1githubgithub.com/proactiveRISK/heartbleed-extention1githubgithub.com/xanas/heartbleed.py1githubgithub.com/sammyfung/openssl-heartbleed-fix1githubgithub.com/xlucas/heartbleed1githubgithub.com/vortextube/ssl_scanner1githubgithub.com/pierceoneill/bleeding-heart0githubgithub.com/obayesshelton/CVE-2014-0160-Scanner0githubgithub.com/fb1h2s/CVE-2014-01600githubgithub.com/takeshixx/ssl-heartbleed.nse0githubgithub.com/roganartu/heartbleedchecker-chrome0githubgithub.com/ice-security88/CVE-2014-01600githubgithub.com/siddolo/knockbleed0githubgithub.com/a0726h77/heartbleed-test0githubgithub.com/idkqh7/heatbleeding0githubgithub.com/GeeksXtreme/ssl-heartbleed.nse0githubgithub.com/indiw0rm/-Heartbleed-0githubgithub.com/iSCInc/heartbleed0githubgithub.com/marstornado/cve-2014-0160-Yunfeng-Jiang0githubgithub.com/froyo75/Heartbleed_Dockerfile_with_Nginx0githubgithub.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC0githubgithub.com/cved-sources/cve-2014-01600githubgithub.com/artofscripting-zz/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS0githubgithub.com/tomdevman/heartbleed-bug0githubgithub.com/ThanHuuTuan/Heartexploit0githubgithub.com/rouze-d/heartbleed0githubgithub.com/WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed0githubgithub.com/h3x0v3rl0rd/CVE-2014-0160_Heartbleed0githubgithub.com/ArtemCyberLab/Project-Field-Analysis-and-Memory-Leak-Demonstration0githubgithub.com/SimoesCTT/CTT-HEARTBLEED-Temporal-Resonance-Memory-Leak-Exploit-Heartbleed-CVE-2014-01600githubgithub.com/22imer/CVE-2014-01600githubgithub.com/0xBlackash/CVE-2014-01600githubgithub.com/Ryo-Soikutsu/Heartbleed0githubgithub.com/victoriacfigueiredo/heartbleed-lab0githubgithub.com/cbk914/heartbleed-checker0githubgithub.com/MrE-Fog/CVE-2014-0160-Chrome-Plugin0githubgithub.com/timsonner/cve-2014-0160-heartbleed0githubgithub.com/yashfren/CVE-2014-0160-HeartBleed0githubgithub.com/Shayhha/HeartbleedAttack0exploitdbwww.exploit-db.com/exploits/32745no verificadocve_referencewww.exploit-db.com/exploits/32764no verificadoexploitdbwww.exploit-db.com/exploits/32998no verificadoexploitdbwww.exploit-db.com/exploits/32764no verificadocve_referencewww.exploit-db.com/exploits/32745no verificadoexploitdbwww.exploit-db.com/exploits/32791no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
http://advisories.mageia.org/MGASA-2014-0165.htmlhttp://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/http://cogentdatahub.com/ReleaseNotes.htmlhttp://download.schneider-electric.com/files?p_Doc_Ref=SEVD%202014-119-01http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=96db9023b881d7cd9f379b0c154650d6c108e9a3http://heartbleed.com/http://lists.fedoraproject.org/pipermail/package-announce/2014-April/131221.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-April/131291.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-04/msg00005.htmlhttp://lists.opensuse.org/opensuse-updates/2014-04/msg00061.html