Signature Detail

SSL: OpenSSL KEY_ARG No Entropy

This signature detects attempts to exploit a known vulnerability against SSL Client Master Key packet. OpenSSL 0.9.6d and earlier versions are vulnerable. Attackers can send malicious Key packets to exploit a buffer overflow condition in the KEY_ARG parameter. This signature also detects attempts to exploit the Server Stack overflow in Mozilla Network Services. A successful attack can allow arbitrary code execution on the target host.

Extended Description

A buffer-overflow vulnerability has been reported in some versions of OpenSSL. The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition. ***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.

Affected Products

• Apache_software_foundation apache 1.0.0
• Apache_software_foundation apache 1.0.2
• Apache_software_foundation apache 1.0.3
• Apache_software_foundation apache 1.0.5
• Apache_software_foundation apache 1.1.0
• Apache_software_foundation apache 1.1.1
• Apache_software_foundation apache 1.2.0
• Apache_software_foundation apache 1.2.5
• Apache_software_foundation apache 1.3.0
• Apache_software_foundation apache 1.3.1
• Apache_software_foundation apache 1.3.11
• Apache_software_foundation apache 1.3.12
• Apache_software_foundation apache 1.3.13
• Apache_software_foundation apache 1.3.14
• Apache_software_foundation apache 1.3.14 Mac
• Apache_software_foundation apache 1.3.15
• Apache_software_foundation apache 1.3.16
• Apache_software_foundation apache 1.3.17
• Apache_software_foundation apache 1.3.18
• Apache_software_foundation apache 1.3.19
• Apache_software_foundation apache 1.3.20
• Apache_software_foundation apache 1.3.22
• Apache_software_foundation apache 1.3.23
• Apache_software_foundation apache 1.3.24
• Apache_software_foundation apache 1.3.25
• Apache_software_foundation apache 1.3.26
• Apache_software_foundation apache 1.3.3
• Apache_software_foundation apache 1.3.4
• Apache_software_foundation apache 1.3.6
• Apache_software_foundation apache 1.3.7 -Dev
• Apache_software_foundation apache 1.3.9
• Apache_software_foundation apache 2.0.0
• Apache_software_foundation apache 2.0.28
• Apache_software_foundation apache 2.0.28 Beta
• Apache_software_foundation apache 2.0.28 -BETA
• Apache_software_foundation apache 2.0.32
• Apache_software_foundation apache 2.0.32 -BETA
• Apache_software_foundation apache 2.0.34 -BETA
• Apache_software_foundation apache 2.0.35
• Apache_software_foundation apache 2.0.36
• Apache_software_foundation apache 2.0.37
• Apache_software_foundation apache 2.0.38
• Apache_software_foundation apache 2.0.39
• Apache_software_foundation apache 2.0.40
• Apple mac_os_x 10.0.0
• Apple mac_os_x 10.0.1
• Apple mac_os_x 10.0.2
• Apple mac_os_x 10.0.3
• Apple mac_os_x 10.0.4
• Apple mac_os_x 10.1.0
• Apple mac_os_x 10.1.1
• Apple mac_os_x 10.1.2
• Apple mac_os_x 10.1.3
• Apple mac_os_x 10.1.4
• Apple mac_os_x 10.1.5
• Apple mac_os_x 10.2.0
• Apple mac_os_x_server 10.0.0
• Cisco secure_content_accelerator_10000
• Covalent enterprise_ready_server 2.1.0
• Covalent enterprise_ready_server 2.2.0
• Covalent fast_start_server 3.1.0
• Gentoo linux 0.5.0
• Gentoo linux 0.7.0
• Gentoo linux 1.1.0 A
• Gentoo linux 1.2.0
• Gentoo linux 1.4.0 _rc1
• Gentoo linux 1.4.0 _rc2
• Gentoo linux 1.4.0 _rc3
• Hp internet_express_eak 2.0.0
• Hp openssl_for_openvms_alpha 1.0.0
• Hp openvms_secure_web_server 1.1.0 -1
• Hp openvms_secure_web_server 1.2.0
• Hp secure_os_software_for_linux 1.0.0
• Hp tcp/ip_services_for_openvms 5.3.0
• Hp tru64_unix_compaq_secure_web_server 5.8.1
• Hp tru64_unix_internet_express 5.9.0
• Hp virtualvault 4.5.0
• Hp virtualvault 4.6.0
• Hp webproxy 1.0.0
• Hp webproxy 2.0.0
• Ibm http_server 1.3.19
• Ibm linux_affinity_toolkit
• Juniper_networks junos 5.0.0
• Juniper_networks junos 5.1.0
• Juniper_networks junos 5.2.0
• Juniper_networks junos 5.3.0
• Juniper_networks junos 5.4.0
• Juniper_networks junos 5.5.0
• Juniper_networks junos 5.6.0
• Juniper_networks sdx-300 3.1.0
• Juniper_networks sdx-300 3.1.1
• Novell netmail 3.10.0
• Novell netmail 3.10.0 a
• Novell netmail 3.10.0 b
• Novell netmail 3.10.0 c
• Novell netmail 3.10.0 d
• Openssl_project openssl 0.9.1 C
• Openssl_project openssl 0.9.2 B
• Openssl_project openssl 0.9.3
• Openssl_project openssl 0.9.4
• Openssl_project openssl 0.9.5
• Openssl_project openssl 0.9.5 A
• Openssl_project openssl 0.9.6
• Openssl_project openssl 0.9.6 A
• Openssl_project openssl 0.9.6 B
• Openssl_project openssl 0.9.6 C
• Openssl_project openssl 0.9.6 D
• Openssl_project openssl 0.9.7 Beta1
• Openssl_project openssl 0.9.7 Beta2
• Oracle corporatetime_outlook_connector 3.1.0
• Oracle corporatetime_outlook_connector 3.1.1
• Oracle corporatetime_outlook_connector 3.1.2
• Oracle corporatetime_outlook_connector 3.3.0
• Oracle oracle9i_application_server 1.0.2
• Oracle oracle9i_application_server 1.0.2 .1s
• Oracle oracle9i_application_server 1.0.2 .2
• Oracle oracle9i_application_server
• Oracle oracle_http_server 9.0.1
• Oracle oracle_http_server 9.2.0 .0
• Rsa_security bsafe_ssl-c 2.1.0
• Rsa_security bsafe_ssl-c 2.2.0
• Rsa_security bsafe_ssl-c 2.3.0
• Secure_computing safeword_premieraccess 3.1.0
• Sonicwall ssl-r 4.0.0 .18
• Sonicwall ssl-r3 4.0.0 .18
• Sonicwall ssl-r6 4.0.0 .18
• Sonicwall ssl-rx 4.0.0 .18

References

• BugTraq: 5363
• CVE: CVE-2007-0009
• CVE: CVE-2002-0656
• URL: http://www.securityfocus.com/bid/5363/info/