Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (VPN)  >   OpenSSL Vendors:
(NetBSD Issues Fix) OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1030048
SecurityTracker URL:
CVE Reference:   CVE-2014-0160   (Links to External Site)
Date:  Apr 10 2014
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.1 through 1.0.1f; 1.0.2-beta
Description:   A vulnerability was reported in OpenSSL. A remote user can obtain potentially sensitive information.

A remote client or server can trigger a buffer overread in the processing of the TLS heartbeat extension to obtain up to 64k of memory (per heartbeat request), potentially including encryption keys.

The vulnerability was introduced to the source code in December 2011 and to release version 1.0.1 in March 2012.

[Editor's note: This vulnerability is known as the OpenSSL heartbleed vulnerability.]

Neel Mehta of Google Security reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information, including encryption keys.
Solution:   NetBSD has issued a fix.

The NetBSD advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Apr 8 2014 OpenSSL TLS Heartbeat Buffer Overread Lets Remote Users Obtain Potentially Sensitive Information

 Source Message Contents

Subject:  NetBSD Security Advisory 2014-004: OpenSSL information disclosure ("heartbleed")

Hash: SHA1

		NetBSD Security Advisory 2014-004

Topic:		OpenSSL information disclosure ("heartbleed")

Version:	NetBSD-current:		before Tue April 8th, 2014
		NetBSD 6.1 - 6.1.3:	affected
		NetBSD 6.0 - 6.0.4:	affected
		NetBSD 5.1 - 5.1.4:	not affected (but see pkgsrc)
		NetBSD 5.2 - 5.2.2:	not affected (but see pkgsrc)
		pkgsrc:			affected

Severity:	high

Fixed:		NetBSD-current:		Tue April 8th, 2014
		NetBSD-6-0 branch:	Tue April 8th, 2014
		NetBSD-6-1 branch:	Tue April 8th, 2014
		NetBSD-6 branch:	Tue April 8th, 2014
		pkgsrc:			openssl-1.0.1g (Tue April 8th, 2014)

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Due to a programming error, a feature of the TLS protocol could
be used to deliver unselective chunks of memory of the process
running the TLS protocol.

The chunks of memory revealed to the attacker are likely to include
the private key the program is using to secure TLS connections,
but may include other vulnerable material, like e.g. in the case
of a https or ldaps server, account names and passwords of users.

Also, once the attacker has a copy of the private key they can run
very difficult to detect Man in the Middle attacks, or just listen
in on further communication with the affected program if they are
in a position to intercept traffic to it. (i.e. your encrypted
connection could as well be cleartext).

This vulnerability has been assigned CVE-2014-0160.

Technical Details

A missing bounds check in the openssl 1.0.1 libssl library before
version 1.0.1g in the implementation of the RFC6520 TLS heartbeat
extension exposes up to 64k of memory of the process using libssl
on each invocation (e.g. on every connection).

Solutions and Workarounds

Update your OpenSSL libraries, make sure the old libssl is no longer
used, and change your certificate.

Update your OpenSSL libraries
- -----------------------------
On NetBSD 6.*, the fastest method to obtain fixed libraries is to
download the fixed libraries for your system from
and to deploy them:
cd /some/scratchpath
ftp`uname -m`-heartbleedfix.tgz
gpg --verify SHA512.asc
# check for: Good signature from "NetBSD Security Officer <>"
cksum -a sha512 netbsd6-`uname -m`-heartbleedfix.tgz > /tmp/netbsd6-`uname -m`-heartbleedfix.tgz.sha512.local
grep netbsd6-`uname -m`-heartbleedfix.tgz SHA512 > /tmp/netbsd6-`uname -m`-heartbleedfix.tgz.sha512.ftp
diff /tmp/netbsd6-`uname -m`-heartbleedfix.tgz.sha512.*
(diff should have no output)

cd / && tar xzpf /some/scratchpath/heartbleed/netbsd6-`uname -m`-heartbleedfix.tgz
rm /usr/lib/
(remove the affected library just to make sure. Continue
reading below)

On NetBSD current, update src and rebuild and install.

Other ways to obtain a libssl that is not affected
- --------------------------------------------------
Rebuilding libssl (from src/crypto/external/bsd/openssl/lib/libssl)
with -DOPENSSL_NO_HEARTBEATS set will obtain a library that doesn't
support the extension and thus can't be attacked through it.

Get the fixed library into use
- ------------------------------
Since the vulnerability is in a shared library, getting the old
library purged and the fixed one into use requires shutting down
all programs that load libssl. This includes sshd (which is not
affected in its role as ssh-service-provider, but may be impacted
as a ldaps client f.e.). The easiest way to do this is to reboot
the system.

Fixed versions
- --------------
files relative to src/crypto/external/bsd/openssl/dist/ssl

branch      d1_both.c        t1_lib.c
- ----------  ---------------  -----------
HEAD          1.11

Thanks To

OpenSSL thanks Neel Mehta of Google Security for discovering this bug
and Adam Langley <> and Bodo Moeller <>
for preparing the fix.

NetBSD furthermore thanks Christos Zoulas for updating -current and
the releng team for the fast pullup and the preparation of the fix

Revision History

	2014-04-09	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-004.txt,v 1.1 2014/04/09 20:56:18 tonnerre Exp $

Version: GnuPG v1


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC