OpenSSL worm in the wild

Eric Rescorla ekr at rtfm.com
Fri Sep 13 13:37:08 PDT 2002


Dave Ahmad <da at securityfocus.com> writes:
> The incident analysis team over here is examining this thing.  At first
> glance it looks reasonably sophisticated.  Looks to me like it exploits
> the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
> setting it to ProductOnly to turn away at least this version of the exploit
> until fixes can be applied.
Since this workaround requires changing the configuration file, 
it's equally easy to disable SSLv2 entirely--especially
since one could easily modify the worm to attack all servers
or, perhaps, those which only display Product ID :)

-Ekr

-- 
[Eric Rescorla                                   ekr at rtfm.com]
                http://www.rtfm.com/





More information about the cypherpunks-legacy mailing list