nerdexam
EC-Council

312-50V10 · Question #471

Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TL

The correct answer is A. Heartbleed Bug. Heartbleed (CVE-2014-0160) is the OpenSSL vulnerability that exploited a flaw in the TLS heartbeat extension, allowing attackers to read protected memory and steal sensitive data.

Cryptography

Question

Which of the following is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.

Options

  • AHeartbleed Bug
  • BPOODLE
  • CSSL/TLS Renegotiation Vulnerability
  • DShellshock

How the community answered

(15 responses)
  • A
    87% (13)
  • C
    7% (1)
  • D
    7% (1)

Why each option

Heartbleed (CVE-2014-0160) is the OpenSSL vulnerability that exploited a flaw in the TLS heartbeat extension, allowing attackers to read protected memory and steal sensitive data.

AHeartbleed BugCorrect

The Heartbleed Bug is a buffer over-read vulnerability in OpenSSL's implementation of the TLS/DTLS heartbeat extension (RFC 6520), disclosed in April 2014 as CVE-2014-0160. An attacker could send a malformed heartbeat request that caused the server to return up to 64KB of its own memory, potentially exposing private keys, session tokens, and user credentials. This directly matched the description of stealing information normally protected by SSL/TLS encryption.

BPOODLE

POODLE (Padding Oracle On Downgraded Legacy Encryption) is a vulnerability in SSL 3.0's CBC padding that allows man-in-the-middle decryption, not a memory-reading flaw in OpenSSL itself.

CSSL/TLS Renegotiation Vulnerability

The SSL/TLS Renegotiation Vulnerability (CVE-2009-3555) allowed attackers to inject plaintext into encrypted sessions during renegotiation, which is a different attack class from memory disclosure.

DShellshock

Shellshock (CVE-2014-6271) is a vulnerability in the GNU Bash shell that allows arbitrary command execution through environment variables, completely unrelated to OpenSSL or SSL/TLS.

Concept tested: Heartbleed OpenSSL CVE-2014-0160 vulnerability identification

Source: https://heartbleed.com/

Topics

#Heartbleed#OpenSSL#SSL/TLS vulnerability#memory disclosure

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice