OpenSSL worm in the wild
Eric Rescorla
ekr at rtfm.com
Fri Sep 13 13:37:08 PDT 2002
Dave Ahmad <da at securityfocus.com> writes:
> The incident analysis team over here is examining this thing. At first
> glance it looks reasonably sophisticated. Looks to me like it exploits
> the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
> setting it to ProductOnly to turn away at least this version of the exploit
> until fixes can be applied.
Since this workaround requires changing the configuration file,
it's equally easy to disable SSLv2 entirely--especially
since one could easily modify the worm to attack all servers
or, perhaps, those which only display Product ID :)
-Ekr
--
[Eric Rescorla ekr at rtfm.com]
http://www.rtfm.com/
More information about the Testlist
mailing list