Heartbleed

For other uses, see Heartbleed (disambiguation).

Heartbleed
Logo representing Heartbleed. Awareness and media coverage of Heartbleed was unusually high for a software bug.[1][2]
CVE identifier(s)CVE-2014-0160
CVSS scoreBase: 7.5 HIGH, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Released1 February 2012; 12 years ago (2012-02-01)
Date discovered1 April 2014; 10 years ago (2014-04-01)
Date patched7 April 2014; 10 years ago (2014-04-07)
Discoverer
Affected softwareOpenSSL (1.0.1)
Websiteheartbleed.com
Preview warning: Page using Template:Infobox bug with unknown parameter "CVSS"

Heartbleed is a security bug in some outdated versions of the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed could be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It resulted from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension.[5] Thus, the bug's name derived from heartbeat.[6] The vulnerability was classified as a buffer over-read,[7] a situation where more data can be read than should be allowed.[8]

Heartbleed was registered in the Common Vulnerabilities and Exposures database as CVE-2014-0160.[7] The federal Canadian Cyber Incident Response Centre issued a security bulletin advising system administrators about the bug.[9] A fixed version of OpenSSL was released on 7 April 2014, on the same day Heartbleed was publicly disclosed.[10]

TLS implementations other than OpenSSL, such as GnuTLS, Mozilla's Network Security Services, and the Windows platform implementation of TLS, were not affected because the defect existed in the OpenSSL's implementation of TLS rather than in the protocol itself.[11]

System administrators were frequently slow to patch their systems. As of 20 May 2014, 1.5% of the 800,000 most popular TLS-enabled websites were still vulnerable to the bug,[12] and by 21 June 2014, 309,197 public web servers remained vulnerable.[13] According to a 23 January 2017 report[14] from Shodan, nearly 180,000 internet-connected devices were still vulnerable to the bug,[15][16] but by 6 July 2017, the number had dropped to 144,000 according to a search performed on shodan.io for the vulnerability.[17] Around two years later, 11 July 2019, Shodan reported[18] that 91,063 devices were vulnerable. The U.S. had the most vulnerable devices, with 21,258 (23%), and the 10 countries with the most vulnerable devices had a total of 56,537 vulnerable devices (62%). The remaining countries totaled 34,526 devices (38%). The report also broke the devices down by 10 other categories such as organization (the top 3 were wireless companies), product (Apache httpd, Nginx), and service (HTTPS, 81%).

  1. ^ McKenzie, Patrick (9 April 2014). "What Heartbleed Can Teach The OSS Community About Marketing". Kalzumeus. Archived from the original on 20 December 2017. Retrieved 8 February 2018.
  2. ^ Biggs, John (9 April 2014). "Heartbleed, The First Security Bug With A Cool Logo". TechCrunch. Archived from the original on 11 February 2018. Retrieved 8 February 2018.
  3. ^ a b Cite error: The named reference hb was invoked but never defined (see the help page).
  4. ^ Pitkänen, Perttu (9 April 2014). "Näin suomalaistutkijat löysivät vakavan vuodon internetin sydämestä" [This is how Finnish researchers discovered a serious leak in the heart of the internet]. Ilta-Sanomat (in Finnish). Retrieved 11 October 2023.
  5. ^ "Security Advisory – OpenSSL Heartbleed Vulnerability". Cyberoam. 11 April 2014. Archived from the original on 8 February 2018. Retrieved 8 February 2018.
  6. ^ Limer, Eric (9 April 2014). "How Heartbleed Works: The Code Behind the Internet's Security Nightmare". Gizmodo. Archived from the original on 11 November 2014. Retrieved 24 November 2014.
  7. ^ a b "CVE-2014-0160". Common Vulnerabilities and Exposures. Mitre. Archived from the original on 24 January 2018. Retrieved 8 February 2018.
  8. ^ "CWE-126: Buffer Over-read (3.0)". Common Vulnerabilities and Exposures. Mitre. 18 January 2018. Archived from the original on 8 February 2018. Retrieved 8 February 2018.
  9. ^ "AL14-005: OpenSSL Heartbleed Vulnerability". Cyber Security Bulletins. Public Safety Canada. 11 April 2014. Archived from the original on 8 February 2018. Retrieved 8 February 2018.
  10. ^ "Add heartbeat extension bounds check". git.openssl.org. OpenSSL. Retrieved 5 March 2019.
  11. ^ Pretorius, Tracey (10 April 2014). "Microsoft Services unaffected by OpenSSL "Heartbleed" vulnerability". Microsoft. Archived from the original on 8 February 2018. Retrieved 8 February 2018.
  12. ^ Leyden, John (20 May 2014). "AVG on Heartbleed: It's dangerous to go alone. Take this (an AVG tool)". The Register. Archived from the original on 23 January 2018. Retrieved 8 February 2018.
  13. ^ Cite error: The named reference Graham-2014-06-21 was invoked but never defined (see the help page).
  14. ^ Cite error: The named reference Shodan-report-DCPO7BkV was invoked but never defined (see the help page).
  15. ^ Cite error: The named reference Schwartz-2017-01-30 was invoked but never defined (see the help page).
  16. ^ Cite error: The named reference MacVittie-2017-02-02 was invoked but never defined (see the help page).
  17. ^ Cite error: The named reference Carey-2017-07-10 was invoked but never defined (see the help page).
  18. ^ Shodan (11 July 2019). "[2019] Heartbleed Report". Shodan. Archived from the original on 11 July 2019. Retrieved 11 July 2019.