严重 OpenSSL 心脏滴血漏洞
CVE编号
CVE-2014-0160利用情况
漏洞武器化补丁情况
官方补丁披露时间
2014-04-08漏洞描述
OpenSSL是一款开放源码的SSL实现,用来实现网络通信的高强度加密。 OpenSSL TLS和DTLS扩展包处理存在外界读内存泄露漏洞。由于程序未能正确处理Heartbeart扩展包,允许远程攻击者可以通过制作的数据包,读取服务器内存中的敏感信息(如用户名、密码、Cookie、私钥等)。 仅OpenSSL的1.0.1及1.0.2-beta版本受到影响,包括:1.0.1f及1.0.2-beta1版本。解决建议
用户可参考如下供应商提供的安全公告获得补丁信息:http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | filezilla-project | filezilla_server | * | Up to (excluding) 0.9.44 | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | micollab | 6.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | micollab | 7.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | micollab | 7.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | micollab | 7.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | micollab | 7.3 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | micollab | 7.3.0.104 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | mivoice | 1.1.2.5 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | mivoice | 1.1.3.3 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | mivoice | 1.2.0.11 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | mivoice | 1.3.2.2 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | mitel | mivoice | 1.4.0.102 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | openssl | openssl | * | From (including) 1.0.1 | Up to (excluding) 1.0.1g | ||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | gluster_storage | 2.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | redhat | storage | 2.1 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | siemens | elan-8.2 | * | Up to (excluding) 8.3.3 | |||||
| 运行在以下环境 | |||||||||
| 应用 | siemens | wincc_open_architecture | 3.12 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian | DPKG | * | Up to (excluding) 1.0.1g-1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_6 | openssl | * | Up to (excluding) 0:1.0.1e-16.el6_5.7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12 | libopenssl1_0_0 | * | Up to (excluding) 1.0.1i-2 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_12.04.5_lts | openssl | * | Up to (excluding) 1.0.1-4ubuntu5.12 | |||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 漏洞武器化
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 传输被破坏
- 服务器危害 服务器失陷
- 全网数量 10000
| CWE-ID | 漏洞类型 |
| CWE-119 | 内存缓冲区边界内操作的限制不恰当 |
| CWE-125 | 跨界内存读 |
Exp相关链接
- https://github.com/0x90/CVE-2014-0160
- https://github.com/a0726h77/heartbleed-test
- https://github.com/amerine/coronary
- https://github.com/artofscripting/cmty-ssl-heartbleed-CVE-2014-0160-HTTP-HTTPS
- https://github.com/caiqiqi/OpenSSL-HeartBleed-CVE-2014-0160-PoC
- https://github.com/cheese-hub/heartbleed
- https://github.com/cldme/heartbleed-bug
- https://github.com/cved-sources/cve-2014-0160
- https://github.com/cyphar/heartthreader
- https://github.com/DisK0nn3cT/MaltegoHeartbleed
- https://github.com/DominikTo/bleed
- https://github.com/einaros/heartbleed-tools
- https://github.com/fb1h2s/CVE-2014-0160
- https://github.com/FiloSottile/Heartbleed
- https://github.com/GeeksXtreme/ssl-heartbleed.nse
- https://github.com/GitMirar/heartbleed_exploit
- https://github.com/GuillermoEscobero/heartbleed
- https://github.com/hack3r-0m/heartbleed_fix_updated
- https://github.com/hmlio/vaas-cve-2014-0160
- https://github.com/hreese/heartbleed-dtls
- https://github.com/hybridus/heartbleedscanner
- https://github.com/ice-security88/CVE-2014-0160
- https://github.com/idkqh7/heatbleeding
- https://github.com/indiw0rm/-Heartbleed-
- https://github.com/ingochris/heartpatch.us
- https://github.com/iSCInc/heartbleed
- https://github.com/isgroup-srl/openmagic
- https://github.com/jdauphant/patch-openssl-CVE-2014-0160
- https://github.com/Lekensteyn/pacemaker
- https://github.com/marstornado/cve-2014-0160-Yunfeng-Jiang
- https://github.com/menrcom/CVE-2014-160
- https://github.com/mozilla-services/Heartbleed
- https://github.com/mpgn/heartbleed-PoC
- https://github.com/musalbas/heartbleed-masstest
- https://github.com/nyc-tophile/A2SV--SSL-VUL-Scan
- https://github.com/nyctophile6/A2SV--SSL-VUL-Scan
- https://github.com/obayesshelton/CVE-2014-0160-Scanner
- https://github.com/OffensivePython/HeartLeak
- https://github.com/proactiveRISK/heartbleed-extention
- https://github.com/roganartu/heartbleedchecker-chrome
- https://github.com/rouze-d/heartbleed
- https://github.com/sammyfung/openssl-heartbleed-fix
- https://github.com/Saymeis/HeartBleed
- https://github.com/sensepost/heartbleed-poc
- https://github.com/siddolo/knockbleed
- https://github.com/takeshixx/ssl-heartbleed.nse
- https://github.com/ThanHuuTuan/Heartexploit
- https://github.com/titanous/heartbleeder
- https://github.com/vortextube/ssl_scanner
- https://github.com/vulhub/vulhub/tree/master/openssl/heartbleed
- https://github.com/waqasjamal-zz/HeartBleed-Vulnerability-Checker
- https://github.com/WildfootW/CVE-2014-0160_OpenSSL_1.0.1f_Heartbleed
- https://github.com/wwwiretap/bleeding_onions
- https://github.com/xanas/heartbleed.py
- https://github.com/xlucas/heartbleed
- https://github.com/Xyl2k/CVE-2014-0160-Chrome-Plugin
- https://github.com/yryz/heartbleed.js
- https://github.com/zouguangxian/heartbleed
- https://gitlab.com/Acidburn0zzz/Heartbleed
- https://gitlab.com/fihlatv/Heartbleed
- https://gitlab.com/kevintvh/Heartbleed
- https://gitlab.com/math4youbyusgroupillinois/Heartbleed
- https://gitlab.com/ret2eax/pacemaker
- https://gitlab.com/sika-forks/Heartbleed
- https://gitlab.com/sika-forks/heartbleed-masstest
- https://gitlab.com/zeroshirts/heartbleeder
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/server/openssl_heartbeat_client_memory.rb
- https://www.exploit-db.com/exploits/32745
- https://www.exploit-db.com/exploits/32764
- https://www.exploit-db.com/exploits/32791
- https://www.exploit-db.com/exploits/32998
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论