Awesome
Vulnerabilities and Attacks
Have vulnerabilities been used in real world attacks?
| Logo | Name | Year | Target | Description | Real attack? | Notes/Sources |
|---|---|---|---|---|---|---|
| <img src="logo/slowloris.png" height="50" width="74"> | Slowloris | 2009 | HTTP servers | Denial of service by keeping connections open | Yes | Abused by Spammers |
| - | BEAST | 2011 | TLS 1.0 | Attacking implicit IV in CBC mode encryption | No | - |
| - | CRIME | 2012 | TLS | TLS Compression leaks information | No | - |
| <img src="logo/breach.png" height="50"> | BREACH | 2013 | TLS | HTTP compression inside TLS leaks information | No | - |
| - | TIME | 2013 | TLS | Compression attack with Javascript/TCP sidechannel | No | - |
| <img src="logo/heartbleed.svg" height="50"> | Heartbleed | 2014 | OpenSSL | Buffer overread leaking server memory | Yes | Reuters/Canadian tax agency JPMorgan Hack |
| <img src="logo/ccsinjection.svg" height="50"> | CCS Injection | 2014 | OpenSSL | State machine confusion via early CCS | No | - |
| <img src="logo/shellshock.svg" height="50"> | Shellshock | 2014 | Bash | Remote code execution via variables | Yes | Cloudflare/Exploits |
| - | Drupalgeddon | 2014 | Drupal | SQL Injection leading to RCE | Yes | Drupal/Automated attacks after 7h |
| - | POODLE | 2014 | SSLv3 | Padding oracle with downgrade attack | No | - |
| - | goto fail | 2014 | Apple iOS | Typo in source code disabling TLS certificate verification | No | - |
| - | GHOST | 2015 | Glibc | Buffer overflow via DNS | No | - |
| - | FREAK | 2015 | TLS | Downgrade to export ciphers | No | - |
| - | Superfish | 2015 | Lenovo laptops | Bundled software with shared root certificate | No | - |
| - | Rowhammer | 2015 | DRAM | Bitflips in RAM modules | No | - |
| - | Logjam | 2015 | TLS | Weak diffie hellman parameters | No* | Speculation this may've been exploited by the NSA |
| - | Stagefright | 2015 | Stagefright/Android | Memory corruption in media parsers | No | - |
| <img src="logo/venom.png" width="72" height="50"> | VENOM | 2015 | QEMU | VM escape | No | - |
| <img src="logo/drown.svg" height="50"> | DROWN | 2016 | TLS/SSLv2 | Bleichenbacher attack using SSLv2 | No | - |
| <img src="logo/badlock.svg" height="50"> | Badlock | 2016 | Samba/SMB | Various man in the middle attacks | No | - |
| - | ImageTragick | 2016 | Imagemagick | Remote code execution in image parsers | Yes | Cloudflare reporting attacks |
| - | HEIST | 2016 | TLS | Compression attack with Javascript/TCP sidechannel | No | - |
| <img src="logo/sweet32.svg" height="50"> | Sweet32 | 2016 | TLS/3DES | Block collissions in 64 bit block ciphers | No | - |
| <img src="logo/dirtycow.svg" height="50"> | Dirty COW | 2016 | Linux Kernel | Race condition leading to local root exploit | Yes | ZDNet/Drupalgeddon2/DirtyCOW attacks TrendMicro/ZNIU Android Malware |
| <img src="logo/krack.png" height="50"> | KRACK | 2017 | WPA2 | Nonce reuse in wireless encryption | No | - |
| <img src="logo/duhk.svg" height="50"> | DUHK | 2017 | FortiOS | Hardcoded key in FIPS-certified X9.31 RNG | No | - |
| <img src="logo/robot.svg" height="50"> | ROBOT | 2017 | TLS | Lack of Bleichenbacher attack countermeasures | No | - |
| - | EternalBlue | 2017 | Windows/SMBv1 | Remote code exection via SMB | Yes | WaPo/NSA use, WannaCry, NotPetya |
| - | SambaCry | 2017 | Samba | RCE via Samba shares | Yes | Kaspersky/Honeypot attacks |
| <img src="logo/meltdown.svg" height="50"> | Meltdown | 2018 | CPU/OS | Speculative execution sidechannel attacking root/user barrier | No | - |
| <img src="logo/spectre.svg" height="50" width="63"> | Spectre | 2018 | CPU/OS | Speculative execution sidechannel attacking program flow | No | - |
| - | Drupalgeddon 2 | 2018 | Drupal | Remote code execution | Yes | ZDNet/Drupalgeddon2/DirtyCOW attacks |
| <img src="logo/efail.svg" height="50"> | EFAIL | 2018 | OpenPGP/SMIME | Exfiltrate decrypted mails with HTML | No | - |
| - | Bleichenbacher's CAT | 2018 | TLS | Lack of Bleichenbacher attack countermeasures | No | - |
FAQ
What?
I'm wondering how many of the "famous" security vulnerabilities have actually been used in attacks that have been documented, so I made a list.
Couldn't there be unknown attacks?
Obviously this list can only cover attacks that have been publicly documented, particularly targetted attacks or attacks within communities with low transparency.
Still if attacks have been widely used it's reasonable to assume that someone will have documented them.
The table is wrong! Attack X has been used!
Please open an issue or a pull request. I created this repo to learn whether my assumptions are correct.
What counts as a real world attack?
I realize the distinction can be blurry, but it should be an attack that has been carried out without the consent of the owner of the affected system and it should've successfully compromised some security expectation.
Also there should be at least one publicly available description with sufficient detail to make the attack plausible, not just vague rumors.
There's an important attack missing!
Open an issue or a pull request, but I may close it if I believe the attack hasn't received sufficient attention or is a pure marketing stunt.
There's a logo missing!
Likely due to unclear licensing terms. All logos used here are under free licenses.
Copyright
The document and most logos are CC0 / public domain, with some exceptions.