Use of a version of OpenSSL with Heartbleed¶
ID: cpp/openssl-heartbleedKind: problemSecurity severity: 7.5Severity: errorPrecision: very-highTags: - security - external/cwe/cwe-327 - external/cwe/cwe-788Query suites: - cpp-code-scanning.qls - cpp-security-extended.qls - cpp-security-and-quality.qls
Click to see the query in the CodeQL repository
Earlier versions of the popular OpenSSL library suffer from a buffer overflow in its “heartbeat” code. Because of the location of the problematic code, this vulnerability is often called “Heartbleed”.
Software that includes a copy of OpenSSL should be sure to use a current version of the library. If it uses an older version, it will be vulnerable to any network site it connects with.
Recommendation¶
Upgrade to the latest version of OpenSSL. This problem was fixed in version 1.0.1g.
Example¶
The following code is present in earlier versions of OpenSSL. Thepayload variable is the number of bytes that should be copied from the request back into the response. The call tomemcpy does this copy. The problem is thatpayload is supplied as part of the remote request, and there is no code that checks the size of it. If the caller supplies a very large value, then thememcpy call will copy memory that is outside the request packet.
inttls1_process_heartbeat(SSL*s){unsignedchar*p=&s->s3->rrec.data[0],*pl;unsignedshorthbtype;unsignedintpayload;/* ... */hbtype=*p++;n2s(p,payload);pl=p;/* ... */if(hbtype==TLS1_HB_REQUEST){/* ... */memcpy(bp,pl,payload);// BAD: overflow here/* ... */}/* ... */}
References¶
Common Vulnerabilities and Exposures:CVE-2014-0160.
OpenSSL News:OpenSSL Security Advisory [07 Apr 2014].
Common Weakness Enumeration:CWE-327.
Common Weakness Enumeration:CWE-788.