[11633] in cryptography@c2.net mail archive
Re: OpenSSL worm in the wild
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Fri Sep 13 16:37:26 2002
To: Dave Ahmad <da@securityfocus.com>
Cc: Ben Laurie <ben@algroup.co.uk>,
Bugtraq <BUGTRAQ@securityfocus.com>,
Cryptography <cryptography@wasabisystems.com>,
cypherpunks <cypherpunks@einstein.ssz.com>,
Apache SSL <apache-ssl@lists.aldigital.co.uk>
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 13 Sep 2002 13:37:08 -0700
In-Reply-To: Dave Ahmad's message of "Fri, 13 Sep 2002 11:28:51 -0600 (MDT)"
Dave Ahmad <da@securityfocus.com> writes:
> The incident analysis team over here is examining this thing. At first
> glance it looks reasonably sophisticated. Looks to me like it exploits
> the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
> setting it to ProductOnly to turn away at least this version of the exploit
> until fixes can be applied.
Since this workaround requires changing the configuration file,
it's equally easy to disable SSLv2 entirely--especially
since one could easily modify the worm to attack all servers
or, perhaps, those which only display Product ID :)
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
