[ale] OpenSSL Vulnerabilities FYI

Jonathan Rickman jonathan at xcorps.net
Fri Sep 13 18:02:47 EDT 2002 

FYI

OpenSSL Vulnerabilities

published: 2002-09-13

OpenSSL, the collection of libraries and programs used by many popular
programs, has had a number of security problems recently. It looks like
the problems are not over yet.

It has been discussed on several mailing lists, that aside from the
exploit known for openssl 0.9.6d, there are exploits available for
even the most recent version (0.9.6g).

As a precaution, we recommend disabling programs that use openssl as
much as possible. The exploits available so far focus on apache, which
is probably the most common exposed service that is using openssl.
As a precaution, we recommend disabling SSLv2, if you have to run an
Apache server with mod_ssl enabled. The magic configuration lines
are:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-
LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

Please direct details/questions to isc at incidents.org

===============================================================

Date: Fri, 13 Sep 2002 11:28:51 -0600 (MDT)
From: Dave Ahmad <da at securityfocus.com>
To: ale at ale.org
To: Ben Laurie <ben at algroup.co.uk>
Subject: Re: OpenSSL worm in the wild

Ok,

The incident analysis team over here is examining this thing.  At first
glance it looks reasonably sophisticated.  Looks to me like it exploits
the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
It seems to pick targets based on the "Server:" HTTP response field.
Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
setting it to ProductOnly to turn away at least this version of the
exploit
until fixes can be applied.  Another thing to note is that it communicates
with its friends over UDP / port 2002.

I'd like to request IP addresses of hosts that have been compromised or
that are currently attacking systems from anyone who is comfortable
sharing this information.  We wish to run it through TMS (formerly
known as ARIS) to see how quickly it is propagating.

David Ahmad
Symantec
http://www.symantec.com/

On Fri, 13 Sep 2002, Ben Laurie wrote:

> I have now seen a worm for the OpenSSL problems I reported a few weeks
> back in the wild. Anyone who has not patched/upgraded to 0.9.6e+ should
> be _seriously worried_.
>
> It appears to be exclusively targeted at Linux systems, but I wouldn't
> count on variants for other systems not existing.
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
>
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff


--
Jonathan Rickman
X Corps Security
http://www.xcorps.net



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list