312-50V10 · Question #471
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TL
The correct answer is A. Heartbleed Bug. Heartbleed (CVE-2014-0160) is the OpenSSL vulnerability that exploited a flaw in the TLS heartbeat extension, allowing attackers to read protected memory and steal sensitive data.
Question
Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.
Options
- AHeartbleed Bug
- BPOODLE
- CSSL/TLS Renegotiation Vulnerability
- DShellshock
How the community answered
(15 responses)- A87% (13)
- C7% (1)
- D7% (1)
Why each option
Heartbleed (CVE-2014-0160) is the OpenSSL vulnerability that exploited a flaw in the TLS heartbeat extension, allowing attackers to read protected memory and steal sensitive data.
The Heartbleed Bug is a buffer over-read vulnerability in OpenSSL's implementation of the TLS/DTLS heartbeat extension (RFC 6520), disclosed in April 2014 as CVE-2014-0160. An attacker could send a malformed heartbeat request that caused the server to return up to 64KB of its own memory, potentially exposing private keys, session tokens, and user credentials. This directly matched the description of stealing information normally protected by SSL/TLS encryption.
POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability in SSL 3.0's CBC padding that allows man-in-the-middle decryption, not a memory-reading flaw in OpenSSL itself.
The SSL/TLS Renegotiation Vulnerability (CVE-2009-3555) allowed attackers to inject plaintext into encrypted sessions during renegotiation, which is a different attack class from memory disclosure.
Shellshock (CVE-2014-6271) is a vulnerability in the GNU Bash shell that allows arbitrary command execution through environment variables, completely unrelated to OpenSSL or SSL/TLS.
Concept tested: Heartbleed OpenSSL CVE-2014-0160 vulnerability identification
Source: https://heartbleed.com/
Topics
Community Discussion
No community discussion yet for this question.