BF Specification of CVE-2014-0160 Heartbleed — Heap Buffer Over-Read in OpenSSL v1.0.1 before v1.0.1g
Missing verification of 'payload' towards an upper limit leads to the use of an inconsistent size for an object, allowing a pointer to reposition over its bounds, which, when used in 'memcpy()' leads to a heap buffer over-read. If exploited, this can lead to exposure of sensitive information (IEX) – Confidentiality Loss.
Missing Code (in dtls1_process_heartbeat(SSL *s)) to Verify (length) of Transferred data (via network) using Range mechanism (1 + 2 + 16 <= s->s3->rrec.length 1 + 2 + payload + 16 <= s->s3->rrec.length) in Third-Party source code (ssl/d1_both.c#L1462 ssl/t1_lib.c#L2591) in Local execution space leads to Inconsistent Value (payload) error, which propagates to
Wrong Size (in memcpy(bp, pl, payload)) to Reposition (pointer) on Heap with Used size (s→s3→rrec.data[0]) using Sequential mechanism in Third-Party source code (ssl/d1_both.c#L1487 ssl/t1_lib.c#L2620) in Userland execution space that results in Overbound Pointer (pl) error, which propagates to
Overbound Pointer (in memcpy(bp, pl, payload)) to Read (object) Huge address span (up to 64kb per exploit) on Heap with Used size using Sequential mechanism in Third-Party source code (ssl/d1_both.c#L1487 ssl/t1_lib.c#L2620) in Userland execution space that results in Buffer Over-Read (bp) final error, which can be exploited toward
Information Exposure (IEX) (Confidentiality Loss) security failure.
| vendor:product: openssl:openssl | Bug Report | Code with Bug | Code with Fix | NVD Entry |
| Class | Definition |
| DVR | Data Verification (DVR) class – Data are verified (semantics check) or corrected (assign, remove) improperly. |
| MAD | Memory Addressing (MAD) class – The pointer to an object is initialized, repositioned, or reassigned to an improper memory address. |
| MUS | Memory Use (MUS) class – An object is initialized, read, written, or cleared improperly. |
| Operation | Definition |
| Verify | Verify operation – Check data semantics (proper value/meaning) in order to accept (and possibly correct) or reject it. |
| Reposition | Reposition operation – Change the pointer to another position inside its object. |
| Read | Read operation – Use the value of an object's data. |
| Cause/Consequence | Definition |
| Code Defect Bug | Code Defect bug type operation – The operation has a bug, which is the first cause for the chain of weaknesses underlying a software security vulnerability. The bug must be fixed to resolve the vulnerability. |
| Missing Code | Missing Code bug – The entire operation implementation or a part of its specification is absent. |
| Data Error/Fault | Data fault/error type – The object data has harmed semantics or inconsistent or wrong value |
| Inconsistent Value | Inconsistent Value fault/error – Data value does not correspond to the value of a related data (e.g., inconstancy between the value of a size variable and the actual buffer size). |
| Wrong Size | Wrong Size fault/error – The value used as size does not match the actual size of the object. |
| Address Error/Fault | Address fault/error type – The object address in use is wrong. |
| Over Bounds Pointer | Over Bounds Pointer fault/error – Points above the upper boundary of its object. |
| Memory Corruption/Disclosure Final Error | Memory Corruption/Disclosure exploitable error type – An exploitable or undefined system behavior caused by memory addressing, allocation, use, and deallocation bugs. |
| Buffer Over-Read | Buffer Over-Read exploitable error – Reads above the upper bound of an object. |
| Operation Attribute | Definition |
| Mechanism | Mechanism operation attribute type – Shows how the buggy/faulty operation code is performed. |
| Range | Range operation attribute – Checking data are within a (min, max) interval. |
| Sequential | Sequential operation attribute – The operation is performed after iterating over the object elements. |
| Source Code | Source Code operation attribute type – Shows where the buggy/faulty operation code is in the program – in what kind of software. |
| Third-Party | Third-Party operation attribute – The operation is in a third-party software. |
| Execution Space | Execution Space operation attribute type – Shows where the buggy/faulty operation code is running or with what privilege level). |
| Local | Local operation attribute – The bugged code runs in an environment with access control policy with limited (local user) permission. |
| Userland | Userland operation attribute – The bugged code runs in an environment with privilege levels, but in unprivileged mode (e.g., ring 3 in x86 architecture). |
| Operand Attribute | Definition |
| Data State | State operand attribute type operand attribute – Shows where the data come from. |
| Transferred | Transferred operand attribute – The data are from another device via a network (e.g., connecting analog device or another computer). |
| Address State | State operand attribute type – Shows where the address is in the memory layout. |
| Heap | Heap operand attribute – The object is a dynamically allocated data structure (e.g., via malloc() and new). |
| Size Kind | Kind operand attribute type – Shows what the limit for traversal of the object is. |
| Used | Used operand attribute – A supplied size for an object. |