Security Watch

Read about the latest developments in security every month in Security Watch

WORMS AND OVERFLOWING BUFFERS
There is a self-propagating malicious code which exploits a vulnerability (VU#102795) in OpenSSL. The malicious code is referred as Apache/mod_ssl worm, linux.slapper.worm and bugtraq.c worm. The Apache/mod_ssl worm has already infected thousands of systems.

While this OpenSSL server vulnerability exists on a wide variety of platforms, the Apache/mod_ssl worm seems to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures.

The worm scans for potentially vulnerable systems on 80/tcp using an invalid HTTP GET request. When a potentially vulnerable Apache system is detected, the worm attempts to connect to the SSL service via 443/tcp in order to deliver the exploit code. If successful, a copy of the malicious source code is then placed on the victim server, where the attacking system tries to compile and run it. Once infected, the victim server begins scanning for additional hosts to continue the worm's propagation.

Additionally, the worm can act as an attack platform for distributed denial-of-service (DDoS) attacks against other sites by building a network of infected hosts.

The high volume of 2002/udp traffic generated between hosts infected with the Apache/mod_ssl worm may itself lead to performance issues on networks with infected or formerly infected hosts. Furthermore, the DDoS capabilities included in the Apache/mod_ssl worm allow victim systems to be used as platforms to attack other systems.

Since repairing an infected host does not remove its IP address from the Apache/mod_ssl worm's Peer-to-Peer network, sites that have had hosts infected with the Apache/mod_ssl worm and subsequently patched them may continue to see significant levels of 2002/udp traffic directed at those formerly infected systems.

System Affected
Linux systems running Apache with mod_ssl accessing SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86 architectures.

Reports indicate that the Apache/mod_ssl worm's source code is placed in /tmp/.bugtraq.c on infected systems. It is compiled with gcc, resulting in the executable binary being stored at /tmp/.bugtraq; therefore, presence of any of the following files on Linux systems running Apache with OpenSSL is indicative of compromise.

• /tmp/.bugtraq.c
• /tmp/.bugtraq

Solution/Patches

• Upgrade to version 0.9.6e of OpenSSL
• Upgrade to version 0.9.6e of OpenSSL to resolve the issues.

Combined patches for OpenSSL 0.9.6d is available at: http://www.openssl.org/news/patch_20020730_0_9_6d.txt

After either applying the patches or upgrading to 0.9.6e, recompile all applications using OpenSSL to support SSL or TLS services, and restart said services or systems. This will eliminate all known vulnerable code.

Sites running OpenSSL pre-release version 0.9.7-beta2 can upgrade to 0.9.7-beta3, which corrects these vulnerabilities. Patches are available at: www.openssl.org/news/patch_20020730_0_9_7.txt

In the case of the Apache/mod_ssl worm, employing ingress and egress filtering can help prevent
systems on your network from participating in the worm's DDoS network and attacking systems
elsewhere. Blocking UDP datagrams with both source and destination port 2002 from entering or leaving your network reduces the risk of external infected systems communicating with infected hosts inside your network.

Covalent Technologies
BSAFE libraries used in Covalent's SSL implementations are potentially vulnerable to the SSL V2. All Covalent products using SSL are affected. Product updates and additional information is available at:
www.covalent.net/products/rotate.php?page=110

Red Hat Inc.
Customers who have kept their systems up to date by applying fixes or using the Red Hat Network are not impacted by this worm. Updates for all affected Red Hat products are available; details and links to the individual advisories can be found at www.redhat.com/support/alerts/linux_slapper_worm.html