Strix
26.1K

CVE-2014-0160

HIGHCVSS 7.5/10Actively ExploitedEPSS 100.00%

Last modified

CVE-2014-0160 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.. CISA has confirmed active exploitation in the wild. EPSS estimates a 100.00% chance of exploitation in the next 30 days.

Description

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
100.00%

100.0th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .

Weakness Enumeration

Affected Software

VendorProductVersions
OpensslOpenssl>= 1.0.1, < 1.0.1g
Filezilla-ProjectFilezilla Server< 0.9.44
SiemensApplication Processing Engine Firmware2.0
SiemensCp 1543-1 Firmware1.1
SiemensSimatic S7-1500 Firmware1.5
SiemensSimatic S7-1500t Firmware1.5
SiemensElan-8.2< 8.3.3
SiemensWincc Open Architecture3.12
IntellianV100 Firmware1.20
IntellianV100 Firmware1.21
IntellianV100 Firmware1.24
IntellianV60 Firmware1.15
IntellianV60 Firmware1.25
MitelMicollab6.0
MitelMicollab7.0
MitelMicollab7.1
MitelMicollab7.2
MitelMicollab7.3
MitelMicollab7.3.0.104
MitelMivoice1.1.2.5
MitelMivoice1.1.3.3
MitelMivoice1.2.0.11
MitelMivoice1.3.2.2
MitelMivoice1.4.0.102
OpensuseOpensuse12.3
OpensuseOpensuse13.1
CanonicalUbuntu Linux12.04
CanonicalUbuntu Linux12.10
CanonicalUbuntu Linux13.10
FedoraprojectFedora19
FedoraprojectFedora20
RedhatGluster Storage2.1
RedhatStorage2.1
RedhatVirtualization6.0
RedhatEnterprise Linux Desktop6.0
RedhatEnterprise Linux Server6.0
RedhatEnterprise Linux Server Aus6.5
RedhatEnterprise Linux Server Eus6.5
RedhatEnterprise Linux Server Tus6.5
RedhatEnterprise Linux Workstation6.0
DebianDebian Linux6.0
DebianDebian Linux7.0
DebianDebian Linux8.0
RiconS9922l Firmware16.10.3\(3794\)
BroadcomSymantec Messaging Gateway10.6.0
BroadcomSymantec Messaging Gateway10.6.1
SplunkSplunk>= 6.0.0, < 6.0.3

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2014-0160?
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
How severe is CVE-2014-0160?
CVE-2014-0160 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 100.00% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
How do I fix CVE-2014-0160?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-0160?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST