[27042] in bugtraq
Re: OpenSSL worm in the wild
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Fri Sep 13 16:49:09 2002
To: Dave Ahmad <da@securityfocus.com>
Reply-To: EKR <ekr@rtfm.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
From: Eric Rescorla <ekr@rtfm.com>
Date: 13 Sep 2002 13:37:08 -0700
In-Reply-To: Dave Ahmad's message of "Fri, 13 Sep 2002 11:28:51 -0600 (MDT)"
Message-ID: <kj7khplj7v.fsf@romeo.rtfm.com>
Dave Ahmad <da@securityfocus.com> writes:
> The incident analysis team over here is examining this thing. At first
> glance it looks reasonably sophisticated. Looks to me like it exploits
> the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
> setting it to ProductOnly to turn away at least this version of the exploit
> until fixes can be applied.
Since this workaround requires changing the configuration file,
it's equally easy to disable SSLv2 entirely--especially
since one could easily modify the worm to attack all servers
or, perhaps, those which only display Product ID :)
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
