CVE-2014-0160
Published: 07 April 2014
Summary
CVE-2014-0160 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Mitel Micollab. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The vulnerability CVE-2014-0160 is a buffer over-read (CWE-125) in the TLS and DTLS implementations of OpenSSL versions 1.0.1 through 1.0.1f. It stems from improper handling of Heartbeat Extension packets in the files d1_both.c and t1_lib.c, which fails to validate the length of incoming packets before reading from process memory.
Remote attackers with network access can exploit the flaw by sending specially crafted Heartbeat requests, triggering an out-of-bounds read that discloses up to 64 KB of sensitive data such as private keys, session cookies, or other process memory contents. The attack requires no authentication and can be repeated to increase the volume of leaked data, as reflected in the CVSS 7.5 score emphasizing high confidentiality impact without affecting integrity or availability.
Advisories and patches referenced in the provided URLs, including the OpenSSL git commit 96db9023b881d7cd9f379b0c154650d6c108e9a3, indicate that the issue is resolved by upgrading to OpenSSL 1.0.1g, with distribution-specific guidance such as MGASA-2014-0165 recommending immediate updates to the patched package.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2014-0217
Vulnerability details
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated…
more
by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
- CWE(s)
- KEV Date Added
- 04 May 2022
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification and installation of the OpenSSL 1.0.1g patch that eliminates the Heartbeat buffer over-read.
Mandates validation of incoming Heartbeat Extension packet lengths, exactly the missing check in d1_both.c and t1_lib.c that enables the over-read.
Requires memory-protection mechanisms that can limit the impact of out-of-bounds reads on sensitive process memory such as private keys.