[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] New SSL Vulnerability ?

Subject: Re: [cobalt-users] New SSL Vulnerability ?
From: "Rick Ewart" <cobalt@xxxxxxxxx>
Date: Tue Sep 17 18:09:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> Here is what was posted today on http://www.kb.cert.org/vuls/id/102795
>
> Vulnerability Note VU#102795
> OpenSSL servers contain a buffer overflow during the SSL2 handshake
> process

Interesting... Actually scary.... Correct me where I am wrong, please.....
<flame retardent suit on>

But FWIW, I read a message on the security list that said that the prior SHP
(Security Hardening Package) helped protect against buffer overflows.
Someone from Sun (I think - it was late) indicated that those with it
running would not be vulnerable to the first problem - the
linux.slapper.worm. Of course I have to presume that one did not completely
disable the software as a result of the issues with it, but instead set it
to "no action". He also only listed a few of the newer boxes, which was
interpreted by someone as "only these boxes", but I think it referred to
anyone who managed to get it installed as part of the 'pioneer program'. ;)

I noted that the new issue is a buffer overflow issue also, affecting the
SSL2 handshake. It seems that this may be covered by the SHP protection
against buffer overflows too? Can Sun or anyone comment on this? Please....
?

So, I have been contemplating the many options discussed here. At a minimum,
it seems limiting the information given would be prudent (although not
failsafe as there have been mixed reports as to whether the worm gets past
the "Apache" part before it tries to attack). Second, removing permission
from gcc seems prudent to keep it from being able to compile, if infected.
Then there is turning off SSL2... From what I read above, it might address
this issue too.... obviously a good choice.

Also, if you have a firewall, stopping UDP traffic on the port the worm uses
might help keep you from being used, if infected.

Re: installing the upgraded Apache, someone noted that it takes you back to
a "chunked" vulnerable status... Not an ideal either.

Gotta admit - knowing what the right path to choose is confusing, at
best.... I knew this day would come eventually... And I thought the round in
February or so when all the UK boxes got hacked was bad....

It WOULD BE NICE if someone from Sun could let us know what is up and what
to expect in terms of patches and all... Not that I am holding my breath...

Take care all.
Rick Ewart

Follow-Ups:
- Re: [cobalt-users] New SSL Vulnerability ?
  - From: Dave Thurman (Mailing List Email)

References:
- [cobalt-users] New SSL Vulnerability ?
  - From: Kevin

Prev by Date: [cobalt-users] [RaQ3] Succesfull Apache upgrade (Bassi instructions)
Next by Date: [cobalt-users] RAQ4 Reboot Hang Problem
Previous by thread: [cobalt-users] New SSL Vulnerability ?
Next by thread: Re: [cobalt-users] New SSL Vulnerability ?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index