Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

CERT..(the linux ssl issue) CA-2002-027

From: niels=netsys () bakker net (Niels Bakker)
Date: Sun, 15 Sep 2002 00:12:51 +0200
* len () netsys com (Len Rose) [Sat 14 Sep 2002, 23:30 CEST]:

Of course the alert is great, but to reiterate my point,
too limited in scope and may lead to a false sense of
complacency for non-linux sites.


I concur.  I sent the mail below to the moderator of Bugtraq after he
rejected the posting included at the end. (I've removed his words.)


        -- Niels.

----- Forwarded message -----

Date: Fri, 13 Sep 2002 21:17:06 +0200
From: Niels Bakker <niels=bugtraq () bakker net>
To: Dave Ahmad <da () securityfocus com>
Subject: Re: bugtraq.c httpd apache ssl attack

Hi David,

Thanks for your quick reply.

[ david here states that he thinks my quoted statements were
  superfluous, as the remedies proposed by some bugtraq posters
  were only temporary measures. ]

I think it needs to be stated.  Stopgap measures like those proposed by
those two subscribers give a false sense of security.

"Whew!  /tmp/.bugtraq.c created and gcc disabled.  I'm safe now!"

The reverse is true.

Given that most Outlook-borne viruses/worms continue to spread literally
years after Microsoft has made patches public that fix the holes these
exploit to spread, the message to patch your systems cannot be repeated
too often, in my opinion.

If I were a script kiddie, I'd quickly make a bugtraq2.c that used
mktemp() to select a filename and had appropriate workarounds for a
disabled gcc (i.e., carry a binary payload as well, or the ability to
download one from somewhere).  It'd be reasonably successful, too, due
to wrong advice like that below being handed out on well-known forums
like Bugtraq.

No, the life of a security-conscious person isn't easy; on the contrary,
it's hard work staying on top of things.  You're bound to miss things,
but you shouldn't make things worse by actively ignoring them.



Won't it be easiest to just upgrade to a non-vulnerable version of
OpenSSL and mod_ssl?

Obviously way better than a stopgap measure that blocks one particular
implementation of an extremely wide range of attacks, I'd say.



Regards,


        -- Niels.

-- 
"Patient" is Latin for "sufferer".
Previous By Date Next
Previous By Thread Next

Current thread: