Signature Detail

SSL: OpenSSL KEY_ARG Buffer Overflow (2)

This signature detects plaintext commands over an SSL connection after an OpenSSL implementation is successfully exploited. OpenSSL 0.9.6d and earlier versions are vulnerable. Attackers can exploit a buffer overflow condition in the KEY_ARG parameter to execute arbitrary code on the target host.

Extended Description

A buffer-overflow vulnerability has been reported in some versions of OpenSSL. The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition. ***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.

Affected Products

• Apache Software Foundation Apache 1.0.0
• Apache Software Foundation Apache 1.0.2
• Apache Software Foundation Apache 1.0.3
• Apache Software Foundation Apache 1.0.5
• Apache Software Foundation Apache 1.1.0
• Apache Software Foundation Apache 1.1.1
• Apache Software Foundation Apache 1.2.0
• Apache Software Foundation Apache 1.2.5
• Apache Software Foundation Apache 1.3.0
• Apache Software Foundation Apache 1.3.1
• Apache Software Foundation Apache 1.3.11
• Apache Software Foundation Apache 1.3.12
• Apache Software Foundation Apache 1.3.13
• Apache Software Foundation Apache 1.3.14
• Apache Software Foundation Apache 1.3.14 Mac
• Apache Software Foundation Apache 1.3.15
• Apache Software Foundation Apache 1.3.16
• Apache Software Foundation Apache 1.3.17
• Apache Software Foundation Apache 1.3.18
• Apache Software Foundation Apache 1.3.19
• Apache Software Foundation Apache 1.3.20
• Apache Software Foundation Apache 1.3.22
• Apache Software Foundation Apache 1.3.23
• Apache Software Foundation Apache 1.3.24
• Apache Software Foundation Apache 1.3.25
• Apache Software Foundation Apache 1.3.26
• Apache Software Foundation Apache 1.3.3
• Apache Software Foundation Apache 1.3.4
• Apache Software Foundation Apache 1.3.6
• Apache Software Foundation Apache 1.3.7 -Dev
• Apache Software Foundation Apache 1.3.9
• Apache Software Foundation Apache 2.0.0
• Apache Software Foundation Apache 2.0.28
• Apache Software Foundation Apache 2.0.28 Beta
• Apache Software Foundation Apache 2.0.28 -BETA
• Apache Software Foundation Apache 2.0.32
• Apache Software Foundation Apache 2.0.32 -BETA
• Apache Software Foundation Apache 2.0.34 -BETA
• Apache Software Foundation Apache 2.0.35
• Apache Software Foundation Apache 2.0.36
• Apache Software Foundation Apache 2.0.37
• Apache Software Foundation Apache 2.0.38
• Apache Software Foundation Apache 2.0.39
• Apache Software Foundation Apache 2.0.40
• Apple Mac OS X 10.0.0
• Apple Mac OS X 10.0.1
• Apple Mac OS X 10.0.2
• Apple Mac OS X 10.0.3
• Apple Mac OS X 10.0.4
• Apple Mac OS X 10.1.0
• Apple Mac OS X 10.1.1
• Apple Mac OS X 10.1.2
• Apple Mac OS X 10.1.3
• Apple Mac OS X 10.1.4
• Apple Mac OS X 10.1.5
• Apple Mac OS X 10.2.0
• Apple Mac OS X Server 10.0.0
• Cisco Secure Content Accelerator 10000
• Covalent Enterprise Ready Server 2.1.0
• Covalent Enterprise Ready Server 2.2.0
• Covalent Fast Start Server 3.1.0
• Gentoo Linux 0.5.0
• Gentoo Linux 0.7.0
• Gentoo Linux 1.1.0 A
• Gentoo Linux 1.2.0
• Gentoo Linux 1.4.0 _rc1
• Gentoo Linux 1.4.0 _rc2
• Gentoo Linux 1.4.0 _rc3
• HP INTERNET EXPRESS EAK 2.0.0
• HP OpenSSL for OpenVMS Alpha 1.0.0
• HP OpenVMS Secure Web Server 1.1.0 -1
• HP OpenVMS Secure Web Server 1.2.0
• HP Secure OS software for Linux 1.0.0
• HP TCP/IP Services for OpenVMS 5.3.0
• HP Tru64 UNIX Compaq Secure Web Server 5.8.1
• HP Tru64 UNIX INTERNET EXPRESS 5.9.0
• HP VirtualVault 4.5.0
• HP VirtualVault 4.6.0
• HP Webproxy 1.0.0
• HP Webproxy 2.0.0
• IBM HTTP Server 1.3.19
• IBM Linux Affinity Toolkit
• Juniper Networks JUNOS 5.0.0
• Juniper Networks JUNOS 5.1.0
• Juniper Networks JUNOS 5.2.0
• Juniper Networks JUNOS 5.3.0
• Juniper Networks JUNOS 5.4.0
• Juniper Networks JUNOS 5.5.0
• Juniper Networks JUNOS 5.6.0
• Juniper Networks SDX-300 3.1.0
• Juniper Networks SDX-300 3.1.1
• Novell NetMail 3.10.0
• Novell NetMail 3.10.0 a
• Novell NetMail 3.10.0 b
• Novell NetMail 3.10.0 c
• Novell NetMail 3.10.0 d
• OpenSSL Project OpenSSL 0.9.1 C
• OpenSSL Project OpenSSL 0.9.2 B
• OpenSSL Project OpenSSL 0.9.3
• OpenSSL Project OpenSSL 0.9.4
• OpenSSL Project OpenSSL 0.9.5
• OpenSSL Project OpenSSL 0.9.5 A
• OpenSSL Project OpenSSL 0.9.6
• OpenSSL Project OpenSSL 0.9.6 A
• OpenSSL Project OpenSSL 0.9.6 B
• OpenSSL Project OpenSSL 0.9.6 C
• OpenSSL Project OpenSSL 0.9.6 D
• OpenSSL Project OpenSSL 0.9.7 Beta1
• OpenSSL Project OpenSSL 0.9.7 Beta2
• Oracle CorporateTime Outlook Connector 3.1.0
• Oracle CorporateTime Outlook Connector 3.1.1
• Oracle CorporateTime Outlook Connector 3.1.2
• Oracle CorporateTime Outlook Connector 3.3.0
• Oracle Oracle9i Application Server 1.0.2
• Oracle Oracle9i Application Server 1.0.2 .1s
• Oracle Oracle9i Application Server 1.0.2 .2
• Oracle Oracle9i Application Server
• Oracle Oracle HTTP Server 9.0.1
• Oracle Oracle HTTP Server 9.2.0 .0
• RSA Security BSAFE SSL-C 2.1.0
• RSA Security BSAFE SSL-C 2.2.0
• RSA Security BSAFE SSL-C 2.3.0
• Secure Computing SafeWord PremierAccess 3.1.0
• SonicWALL SSL-R 4.0.0 .18
• SonicWALL SSL-R3 4.0.0 .18
• SonicWALL SSL-R6 4.0.0 .18
• SonicWALL SSL-RX 4.0.0 .18

References

• BugTraq: 5363
• CVE: CVE-2002-0656
• URL: http://www.securityfocus.com/bid/5363/info/