Re: OpenSSL worm in the wild

[Eric Rescorla <ekr () rtfm com>]

Dave Ahmad <da () securityfocus com> writes:
> The incident analysis team over here is examining this thing.  At first
> glance it looks reasonably sophisticated.  Looks to me like it exploits
> the issue described as BID 5363, http://online.securityfocus.com/bid/5363.
> It seems to pick targets based on the "Server:" HTTP response field.
> Mario Van Velzen proposed a quick workaround of disabling ServerTokens or
> setting it to ProductOnly to turn away at least this version of the exploit
> until fixes can be applied.
Since this workaround requires changing the configuration file, 
it's equally easy to disable SSLv2 entirely--especially
since one could easily modify the worm to attack all servers
or, perhaps, those which only display Product ID :)

-Ekr

-- 
[Eric Rescorla                                   ekr () rtfm com]
                http://www.rtfm.com/