about the latest developments in security every month
in Security Watch
AND OVERFLOWING BUFFERS
There is a self-propagating malicious code which exploits
a vulnerability (VU#102795) in OpenSSL. The malicious
code is referred as Apache/mod_ssl worm, linux.slapper.worm
and bugtraq.c worm. The Apache/mod_ssl worm has already
infected thousands of systems.
While this OpenSSL server vulnerability exists on a
wide variety of platforms, the Apache/mod_ssl worm seems
to work only on Linux systems running Apache with the
OpenSSL module (mod_ssl) on Intel architectures.
The worm scans for potentially vulnerable systems on
80/tcp using an invalid HTTP GET request. When a potentially
vulnerable Apache system is detected, the worm attempts
to connect to the SSL service via 443/tcp in order to
deliver the exploit code. If successful, a copy of the
malicious source code is then placed on the victim server,
where the attacking system tries to compile and run
it. Once infected, the victim server begins scanning
for additional hosts to continue the worm's propagation.
Additionally, the worm can act as an attack platform
for distributed denial-of-service (DDoS) attacks against
other sites by building a network of infected hosts.
The high volume of 2002/udp traffic generated between
hosts infected with the Apache/mod_ssl worm may itself
lead to performance issues on networks with infected
or formerly infected hosts. Furthermore, the DDoS capabilities
included in the Apache/mod_ssl worm allow victim systems
to be used as platforms to attack other systems.
Since repairing an infected host does not remove its
IP address from the Apache/mod_ssl worm's Peer-to-Peer
network, sites that have had hosts infected with the
Apache/mod_ssl worm and subsequently patched them may
continue to see significant levels of 2002/udp traffic
directed at those formerly infected systems.
Linux systems running Apache with mod_ssl accessing
SSLv2-enabled OpenSSL 0.9.6d or earlier on Intel x86
Reports indicate that the Apache/mod_ssl worm's source
code is placed in /tmp/.bugtraq.c on infected systems.
It is compiled with gcc, resulting in the executable
binary being stored at /tmp/.bugtraq; therefore, presence
of any of the following files on Linux systems running
Apache with OpenSSL is indicative of compromise.
Upgrade to version 0.9.6e of OpenSSL
Upgrade to version 0.9.6e of OpenSSL to resolve the
Combined patches for OpenSSL 0.9.6d is available at:
After either applying the patches or upgrading to 0.9.6e,
recompile all applications using OpenSSL to support
SSL or TLS services, and restart said services or systems.
This will eliminate all known vulnerable code.
Sites running OpenSSL pre-release version 0.9.7-beta2
can upgrade to 0.9.7-beta3, which corrects these vulnerabilities.
Patches are available at:
In the case of the Apache/mod_ssl worm, employing ingress
and egress filtering can help prevent
systems on your network from participating in the worm's
DDoS network and attacking systems
elsewhere. Blocking UDP datagrams with both source and
destination port 2002 from entering or leaving your
network reduces the risk of external infected systems
communicating with infected hosts inside your network.
BSAFE libraries used in Covalent's SSL implementations
are potentially vulnerable to the SSL V2. All Covalent
products using SSL are affected. Product updates and
additional information is available at:
Red Hat Inc.
Customers who have kept their systems up to date by
applying fixes or using the Red Hat Network are not
impacted by this worm. Updates for all affected Red
Hat products are available; details and links to the
individual advisories can be found at www.redhat.com/support/alerts/linux_slapper_worm.html