Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Updated (13:45 3/18 GMT): OpenSSL DoS Vulnerability, New Bagel Variants - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Updated (13:45 3/18 GMT): OpenSSL DoS Vulnerability, New Bagel Variants
OpenSSL DoS Vulnerability

------------------------------------------------------



The OpenSSL Project announced today that there is a null pointer assignment flaw in all versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive. A specifically crafted SSL/TLS handshake could cause OpenSSL to crash. This could lead to a DoS against whatever application uses OpenSSL.



Because many devices/servers/systems use OpenSSL, this is a potential issue for many sites. Because of the nature of the vulnerability, there is not a means of using this for an exploit beyond a DoS, but it is important to be aware of this issue and patch affected installations as quickly as possible.



The OpenSSL Project announcement:



http://www.openssl.org/news/secadv_20040317.txt



Various vendor announcements (updated as they are available):

http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml

https://rhn.redhat.com/errata/RHSA-2004-121.html
http://www.openbsd.net/errata.html#openssl




------------------------------------------------------

New Bagel Variants

New Bagel variants, Q, R, S, and T are currently in the wild, with at least variant Q having been given a "Medium" threat level by Trend Micro. (At the time of this update, R, S, and T are being analyzed.) The Q variant uses a known vulnerability in Microsoft Outlook (Object Tag Vulnerability in Popup Window) as one means of propagation. The malware creates an email message which triggers the Outlook vulnerability to automatically download a malicious HTML file which drops a Visual Basic Script file in the Windows system folder. This VBS file then downloads the actual Bagel executable. The malware may also spread itself via the more standard "click me" attachment on an email.



The interesting twist here is that this variant sets the infected machine up as a server for subsequent downloads of the malicious code on TCP port 81.



Should be an interesting day...



More info:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q

http://vil.nai.com/vil/content/v_101108.htm

http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.r@mm.html

(note: I think that's Symantec's equivalent...)



Info on the Object Tag Vulnerability in Popup Window from MS:

http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx





------------------------------------------------------

Handler on Duty: Tom Liston - ( http://www.labreatechnologies.com )

Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!