Ukraine-Russia Global Conflict


May 7, 2014 02:00 PM

Background

A critical vulnerability was recenty found in OpenSSL. Due to a missing bounds check in the handling of the TLS heartbeat extension, 64K of memory can be revealed to a connected client or server. Only OpenSSL versions 1.0.1-1.0.1f, 1.0.2-beta and 1.0.2- beta1 are affected.

Risk

A remote attacker can exploit the vulnerability by sending a malformed heartbeat request with a payload size bigger than the actual request; and in response, the vulnerable server would return a heartbeat response that contains a memory block of up to 64KB in the payload. This memory block may reveal potentially confidential information, including SSL certificate user passwords and more.

An attacker cannot control what memory block the server returns, but by performing multiple requests, some critical data might be leaked.

Additional Information

For additional information regarding the threat, read the full Threat Alert.

Download Now

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center