Named vulnerabilities and their practical impact
Switch branches/tags
Nothing to show
Clone or download
Latest commit ba807cb Dec 11, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
logo venom logo Dec 9, 2018
LICENSE update license for venom Dec 9, 2018
LICENSE.CC0 initial commit of document and logos Dec 5, 2018
README.md Fix broken link Dec 11, 2018

README.md

Vulnerabilities and Attacks

Have vulnerabilities been used in real world attacks?

Logo Name Year Target Description Real attack? Notes/Sources
- BEAST 2011 TLS 1.0 Attacking implicit IV in CBC mode encryption No -
- CRIME 2012 TLS TLS Compression leaks information No -
BREACH 2013 TLS HTTP compression inside TLS leaks information No -
- TIME 2013 TLS Compression attack with Javascript/TCP sidechannel No -
Heartbleed 2014 OpenSSL Buffer overread leaking server memory Yes Reuters/Canadian tax agency JPMorgan Hack
CCS Injection 2014 OpenSSL State machine confusion via early CCS No -
Shellshock 2014 Bash Remote code execution via variables Yes Cloudflare/Exploits
- Drupalgeddon 2014 Drupal SQL Injection leading to RCE Yes Drupal/Automated attacks after 7h
- POODLE 2014 SSLv3 Padding oracle with downgrade attack No -
- goto fail 2014 Apple iOS Typo in source code disabling TLS certificate verification No -
- GHOST 2015 Glibc Buffer overflow via DNS No -
- FREAK 2015 TLS Downgrade to export ciphers No -
- Superfish 2015 Lenovo laptops Bundled software with shared root certificate No -
- Rowhammer 2015 DRAM Bitflips in RAM modules No -
- Logjam 2015 TLS Weak diffie hellman parameters No* Speculation this may've been exploited by the NSA
- Stagefright 2015 Stagefright/Android Memory corruption in media parsers No -
VENOM 2015 QEMU VM escape No -
DROWN 2016 TLS/SSLv2 Bleichenbacher attack using SSLv2 No -
Badlock 2016 Samba/SMB Various man in the middle attacks No -
- ImageTragick 2016 Imagemagick Remote code execution in image parsers Yes Cloudflare reporting attacks
- HEIST 2016 TLS Compression attack with Javascript/TCP sidechannel No -
Sweet32 2016 TLS/3DES Block collissions in 64 bit block ciphers No -
Dirty COW 2016 Linux Kernel Race condition leading to local root exploit Yes ZDNet/Drupalgeddon2/DirtyCOW attacks TrendMicro/ZNIU Android Malware
KRACK 2017 WPA2 Nonce reuse in wireless encryption No -
DUHK 2017 FortiOS Hardcoded key in FIPS-certified X9.31 RNG No -
ROBOT 2017 TLS Lack of Bleichenbacher attack countermeasures No -
- EternalBlue 2017 Windows/SMBv1 Remote code exection via SMB Yes WaPo/NSA use, WannaCry, NotPetya
- SambaCry 2017 Samba RCE via Samba shares Yes Kaspersky/Honeypot attacks
Meltdown 2018 CPU/OS Speculative execution sidechannel attacking root/user barrier No -
Spectre 2018 CPU/OS Speculative execution sidechannel attacking program flow No -
- Drupalgeddon 2 2018 Drupal Remote code execution Yes ZDNet/Drupalgeddon2/DirtyCOW attacks
EFAIL 2018 OpenPGP/SMIME Exfiltrate decrypted mails with HTML No -
- Bleichenbacher's CAT 2018 TLS Lack of Bleichenbacher attack countermeasures No -

FAQ

What?

I'm wondering how many of the "famous" security vulnerabilities have actually been used in attacks that have been documented, so I made a list.

Couldn't there be unknown attacks?

Obviously this list can only cover attacks that have been publicly documented, particularly targetted attacks or attacks within communities with low transparency.

Still if attacks have been widely used it's reasonable to assume that someone will have documented them.

The table is wrong! Attack X has been used!

Please open an issue or a pull request. I created this repo to learn whether my assumptions are correct.

What counts as a real world attack?

I realize the distinction can be blurry, but it should be an attack that has been carried out without the consent of the owner of the affected system and it should've successfully compromised some security expectation.

Also there should be at least one publicly available description with sufficient detail to make the attack plausible, not just vague rumors.

There's an important attack missing!

Open an issue or a pull request, but I may close it if I believe the attack hasn't received sufficient attention or is a pure marketing stunt.

There's a logo missing!

Likely due to unclear licensing terms. All logos used here are under free licenses.

Copyright

The document and most logos are CC0 / public domain, with some exceptions.