Revised May 29, 2008
October 24, 2002
THIS FIELD NOTICE HAS BEEN EXPIRED AND IS NO LONGER MAINTAINED OR UPDATED BY CISCO.
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE, WARRANTY OR SUPPORT. USE OF THE INFORMATION ON THIS FIELD NOTICE OR MATERIALS LINKED FROM THIS FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
The Apache/mod_ssl worm is self-propagating malicious code that exploits the OpenSSL vulnerability. While this OpenSSL server vulnerability exists on a wide variety of platforms, the Apache/mod_ssl worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures.
See these advisories for further details:
The Apache/mod_ssl worm scans for potentially vulnerable systems on TCP port 80 using an invalid HTTP GET request. When a potentially vulnerable Apache system is detected, the worm attempts to connect to the SSL service on TCP port 443 in order to deliver the exploit code. If successful, a copy of the malicious source code is then placed on the victim server, where the attacking system tries to compile and run it. Once infected, the victim server begins scanning for additional hosts to continue the worm's propagation.
Additionally, the Apache/mod_ssl worm can act as an attack platform for distributed denial-of-service (DDoS) attacks against other sites by building a network of infected hosts. During the infection process, the attacking host instructs the newly-infected victim to initiate traffic on UDP port 2002 (newer variants have been reported to also use UDP ports 1978 and 4156) back to the attacker. Once this communications channel has been established, the infected system becomes part of the Apache/mod_ssl worm's DDoS network. Infected hosts can then share information on other infected systems as well as attack instructions. This UDP traffic can be used by a remote attacker as a communications channel between infected systems to coordinate attacks on other sites.
Reports to the CERT/CC indicate that the high volume traffic generated on UDP ports 1978, 2002, and 4156 between hosts infected with the Apache/mod_ssl worm may itself lead to performance issues (including possible denial-of-service conditions) on networks with infected hosts. Furthermore, since repairing an infected host does not remove its IP address from the Apache/mod_ssl worm's Peer-to-Peer network, sites that have had hosts infected with the Apache/mod_ssl worm and subsequently patched them may continue to see significant levels of traffic on UDP ports 1978, 2002, or 4156 directed at those formerly infected systems.
The customers SCA will stop operating making it look as though the customers website is completely down.
Upgrade the SCA to the 220.127.116.11 (or18.104.22.168) or later.
Note: Keys and certificates are not compromised as a result of this exploit on the SCA. See Release Note for the Cisco 11000 Series Secure Content Accelerator for further details.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.