Use of a version of OpenSSL with HeartbleedΒΆ
ID: cpp/openssl-heartbleed
Kind: problem
Severity: error
Precision: very-high
Tags:
- security
- external/cwe/cwe-327
- external/cwe/cwe-788
Query suites:
- cpp-code-scanning.qls
- cpp-security-extended.qls
- cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Earlier versions of the popular OpenSSL library suffer from a buffer overflow in its βheartbeatβ code. Because of the location of the problematic code, this vulnerability is often called βHeartbleedβ.
Software that includes a copy of OpenSSL should be sure to use a current version of the library. If it uses an older version, it will be vulnerable to any network site it connects with.
RecommendationΒΆ
Upgrade to the latest version of OpenSSL. This problem was fixed in version 1.0.1g.
ExampleΒΆ
The following code is present in earlier versions of OpenSSL. The payload variable is the number of bytes that should be copied from the request back into the response. The call to memcpy does this copy. The problem is that payload is supplied as part of the remote request, and there is no code that checks the size of it. If the caller supplies a very large value, then the memcpy call will copy memory that is outside the request packet.
int
tls1_process_heartbeat(SSL *s)
{
unsigned char *p = &s->s3->rrec.data[0], *pl;
unsigned short hbtype;
unsigned int payload;
/* ... */
hbtype = *p++;
n2s(p, payload);
pl = p;
/* ... */
if (hbtype == TLS1_HB_REQUEST)
{
/* ... */
memcpy(bp, pl, payload); // BAD: overflow here
/* ... */
}
/* ... */
}
ReferencesΒΆ
- Common Vulnerabilities and Exposures: CVE-2014-0160.
- OpenSSL News: OpenSSL Security Advisory [07 Apr 2014].
- Common Weakness Enumeration: CWE-327.
- Common Weakness Enumeration: CWE-788.