Re: OpenSSL worm

From: Whit Blauvelt (whit@transpect.com)
Date: 09/20/02


Date: Fri, 20 Sep 2002 12:20:24 -0400
From: Whit Blauvelt <whit@transpect.com>
To: Hal Flynn <flynn@securityfocus.com>

One thing that's not fully discussed in some of the notices on this: If you
have openssl-0.9.6e as the basis of Apache-mod_ssl your system cannot be
compromised BUT it looks to me (from a couple of experiences) like the worm
can still end up working as a DOS attack on you, since 0.9.6e doesn't always
handle the error caused by the worm properly, but can crash the process.
This seems to result (on a couple of systems I have where Apache is
initialized via "apachectl startssl") in Apache restarting - but without SSL
service, so the secure side of your sites is down without notice.
openssl-0.9.6g handles the error correctly, and should not have this
problem.

Note this is my best suspicion. I don't have firm evidence - it could just
be coincidence that the only time I've seen this happen is since the worm is
out. The logs are inconclusive.

Whit

On Fri, Sep 13, 2002 at 11:23:16AM -0600, Hal Flynn wrote:
> For those of you not aware, there has been a report of an OpenSSL worm in
> the wild. Discussion is on Bugtraq currently.