Vulnerabilities and Attacks
Have vulnerabilities been used in real world attacks?
Logo | Name | Year | Target | Description | Real attack? | Notes/Sources |
---|---|---|---|---|---|---|
Slowloris | 2009 | HTTP servers | Denial of service by keeping connections open | Yes | Abused by Spammers | |
- | BEAST | 2011 | TLS 1.0 | Attacking implicit IV in CBC mode encryption | No | - |
- | CRIME | 2012 | TLS | TLS Compression leaks information | No | - |
BREACH | 2013 | TLS | HTTP compression inside TLS leaks information | No | - | |
- | TIME | 2013 | TLS | Compression attack with Javascript/TCP sidechannel | No | - |
Heartbleed | 2014 | OpenSSL | Buffer overread leaking server memory | Yes | Reuters/Canadian tax agency JPMorgan Hack | |
CCS Injection | 2014 | OpenSSL | State machine confusion via early CCS | No | - | |
Shellshock | 2014 | Bash | Remote code execution via variables | Yes | Cloudflare/Exploits | |
- | Drupalgeddon | 2014 | Drupal | SQL Injection leading to RCE | Yes | Drupal/Automated attacks after 7h |
- | POODLE | 2014 | SSLv3 | Padding oracle with downgrade attack | No | - |
- | goto fail | 2014 | Apple iOS | Typo in source code disabling TLS certificate verification | No | - |
- | GHOST | 2015 | Glibc | Buffer overflow via DNS | No | - |
- | FREAK | 2015 | TLS | Downgrade to export ciphers | No | - |
- | Superfish | 2015 | Lenovo laptops | Bundled software with shared root certificate | No | - |
- | Rowhammer | 2015 | DRAM | Bitflips in RAM modules | No | - |
- | Logjam | 2015 | TLS | Weak diffie hellman parameters | No* | Speculation this may've been exploited by the NSA |
- | Stagefright | 2015 | Stagefright/Android | Memory corruption in media parsers | No | - |
VENOM | 2015 | QEMU | VM escape | No | - | |
DROWN | 2016 | TLS/SSLv2 | Bleichenbacher attack using SSLv2 | No | - | |
Badlock | 2016 | Samba/SMB | Various man in the middle attacks | No | - | |
- | ImageTragick | 2016 | Imagemagick | Remote code execution in image parsers | Yes | Cloudflare reporting attacks |
- | HEIST | 2016 | TLS | Compression attack with Javascript/TCP sidechannel | No | - |
Sweet32 | 2016 | TLS/3DES | Block collissions in 64 bit block ciphers | No | - | |
Dirty COW | 2016 | Linux Kernel | Race condition leading to local root exploit | Yes | ZDNet/Drupalgeddon2/DirtyCOW attacks TrendMicro/ZNIU Android Malware | |
KRACK | 2017 | WPA2 | Nonce reuse in wireless encryption | No | - | |
DUHK | 2017 | FortiOS | Hardcoded key in FIPS-certified X9.31 RNG | No | - | |
ROBOT | 2017 | TLS | Lack of Bleichenbacher attack countermeasures | No | - | |
- | EternalBlue | 2017 | Windows/SMBv1 | Remote code exection via SMB | Yes | WaPo/NSA use, WannaCry, NotPetya |
- | SambaCry | 2017 | Samba | RCE via Samba shares | Yes | Kaspersky/Honeypot attacks |
Meltdown | 2018 | CPU/OS | Speculative execution sidechannel attacking root/user barrier | No | - | |
Spectre | 2018 | CPU/OS | Speculative execution sidechannel attacking program flow | No | - | |
- | Drupalgeddon 2 | 2018 | Drupal | Remote code execution | Yes | ZDNet/Drupalgeddon2/DirtyCOW attacks |
EFAIL | 2018 | OpenPGP/SMIME | Exfiltrate decrypted mails with HTML | No | - | |
- | Bleichenbacher's CAT | 2018 | TLS | Lack of Bleichenbacher attack countermeasures | No | - |
FAQ
What?
I'm wondering how many of the "famous" security vulnerabilities have actually been used in attacks that have been documented, so I made a list.
Couldn't there be unknown attacks?
Obviously this list can only cover attacks that have been publicly documented, particularly targetted attacks or attacks within communities with low transparency.
Still if attacks have been widely used it's reasonable to assume that someone will have documented them.
The table is wrong! Attack X has been used!
Please open an issue or a pull request. I created this repo to learn whether my assumptions are correct.
What counts as a real world attack?
I realize the distinction can be blurry, but it should be an attack that has been carried out without the consent of the owner of the affected system and it should've successfully compromised some security expectation.
Also there should be at least one publicly available description with sufficient detail to make the attack plausible, not just vague rumors.
There's an important attack missing!
Open an issue or a pull request, but I may close it if I believe the attack hasn't received sufficient attention or is a pure marketing stunt.
There's a logo missing!
Likely due to unclear licensing terms. All logos used here are under free licenses.
Copyright
The document and most logos are CC0 / public domain, with some exceptions.