Debian DSA-2896-1 : openssl - security update
high Nessus Plugin ID 73388
Language:
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Synopsis
The remote Debian host is missing a security-related update.Description
A vulnerability has been discovered in OpenSSL's support for the TLS/DTLS Heartbeat extension. Up to 64KB of memory from either client or server can be recovered by an attacker. This vulnerability might allow an attacker to compromise the private key and other sensitive data in memory.All users are urged to upgrade their openssl packages (especially libssl1.0.0) and restart applications as soon as possible.
According to the currently available information, private keys should be considered as compromised and regenerated as soon as possible. More details will be communicated at a later time.
The oldstable distribution (squeeze) is not affected by this vulnerability.
Solution
Upgrade the openssl packages.For the stable distribution (wheezy), this problem has been fixed in version 1.0.1e-2+deb7u5.
See Also
Plugin Details
Severity: High
ID: 73388
File Name: debian_DSA-2896.nasl
Version: 1.10
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 4/8/2014
Updated: 1/11/2021
Dependencies: ssh_get_info.nasl
Risk Information
VPR
Risk Factor: High
Score: 7.3
CVSS v2
Risk Factor: High
Base Score: 9.4
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:openssl, cpe:/o:debian:debian_linux:7.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 4/7/2014
Exploitable With
Core Impact
Metasploit (OpenSSL Heartbeat Information Leak)
Reference Information
CVE: CVE-2014-0160
DSA: 2896