Linux/Slapper.worm - openSUSE Security - openSUSE Mailing Lists

newer
Re: [suse-security]...

Linux/Slapper.worm

older
Re: [suse-security] how to enable...

Miguel Albuquerque

16 Sep 2002 16 Sep '02

11:31

Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt. The security update openssl release 20020812 by SuSE fixes the problem? Thanx -- .-. SECNeT /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-workshop.ch http://mfoacs.e-workshop.ch

Reply

Sign in to reply online Use email software

Show replies by date

Olaf Kirch

16 Sep 16 Sep

14:12

New subject: [suse-security] Linux/Slapper.worm

On Mon, Sep 16, 2002 at 01:31:02PM +0200, Miguel Albuquerque wrote:

Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt.

The security update openssl release 20020812 by SuSE fixes the problem? Thanx

It does. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann

Reply

Sign in to reply online Use email software

Markus Gaugusch

14:37

New subject: [suse-security] Linux/Slapper.worm

On Sep 16, Olaf Kirch wrote:

...
Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt. The security update openssl release 20020812 by SuSE fixes the problem? Thanx

It does.

Olaf Why is mod_ssl.rpm from suse 7.1 dated 29-Jul-2002 13:47 ? Am I at risk???

I looked at http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.1/sec2/ Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \

Reply

Sign in to reply online Use email software

Olaf Kirch

14:45

New subject: [suse-security] Linux/Slapper.worm

On Mon, Sep 16, 2002 at 04:37:02PM +0200, Markus Gaugusch wrote:

...
...
The security update openssl release 20020812 by SuSE fixes the problem? Thanx

It does.

Olaf Why is mod_ssl.rpm from suse 7.1 dated 29-Jul-2002 13:47 ? Am I at risk???

All security holes discussed in http://www.openssl.org/news/secadv_20020730.txt refer to bugs in the OpenSSL libraries themselves, i.e. libssl and libcrypto. The vulnerability exploited by the worm is not in the mod_ssl module itself, it's in these libraries. Hope this sheds some light on the issue. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann

Reply

Sign in to reply online Use email software

Thomas Seliger

16:10

New subject: [suse-security] Linux/Slapper.worm

Hi, the worm uses an error in the openssl package. So if you upgraded the openssl package from http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.1/sec1/ope... you should be secure. With all that people panicing around, maybe a seperate security announcement containing the necessary fixes (that are just links to the old updated packages... :P ) would be a good idea? ciao Tom Markus Gaugusch wrote:

On Sep 16, Olaf Kirch wrote:

...
...
Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt. The security update openssl release 20020812 by SuSE fixes the problem? Thanx

It does.

Olaf

Why is mod_ssl.rpm from suse 7.1 dated 29-Jul-2002 13:47 ? Am I at risk???

I looked at http://ftp.gwdg.de/pub/linux/suse/ftp.suse.com/suse/i386/update/7.1/sec2/

Markus

-- this is a maillist account, so please send personal replies to cso[at]trium[dot]de

Reply

Sign in to reply online Use email software

Sven 'Darkman' Michels

16:50

New subject: [suse-security] Linux/Slapper.worm

Thomas Seliger wrote:

With all that people panicing around, maybe a seperate security announcement containing the necessary fixes (that are just links to the old updated packages... :P ) would be a good idea?

Whats about a small database where ppl can search announcement ID's from CERT etc. in the SuSE Security Announcements? So you see a warning somewhere about Bug/Exploit for CERT CA-2342 .. then you go the to suse-security-db and type in the CERT ID, and see the Announcements about that ID. Maybe a nice feature ... ;) So long, Sven

Reply

Sign in to reply online Use email software

Boris Lorenz

18 Sep 18 Sep

10:13

New subject: [suse-security] Linux/Slapper.worm

Hey, FYI (and for all those who aren't subscribed to Bugtraq), here's a link to an excellent analysis of the Modap/Slapper OpenSSL worm (in acrobat reader format): http://analyzer.securityfocus.com/alerts/020916-Analysis-Modap.pdf There seems to be some misunderstanding of this worm. Its sourcecode (read: the current OpenSSL exploit) was leaked out and immediately posted on several security mailing lists such as Bugtraq or Full Disclosure, and the CERT guys (together with others) published an incident report about it, but in the wild, there are at least three versions of a worm-like program exploiting the latest OpenSSL/Apache vulns. The sources are commonly called pud.c (pud = Peer-to-Peer UDP distributed denial of service), apache-worm.c (which is a revised/modified version of pud.c), also various SSLv2 detection programs have been sighted with contents of both sources. However, the source the analysis refers to is pud.c. For those who are interested, I did some sandbox tests with both source versions, and both of them contain some really nasty (but nicely coded) routines. I predict a growth of OpenSSL attacks after the public release of all the sources within a week (if not within days/hours), and given the danger level of these programs, all SSL-aware apps and tools should be updated/recompiled with a known-good version of openssl (0.9.6e+) quickly. Boris ---

Reply

Sign in to reply online Use email software

7901

Age (days ago)

7903

Last active (days ago)

Download

6 comments

6 participants

tags

participants (6)

Boris Lorenz
Markus Gaugusch
Miguel Albuquerque
Olaf Kirch
Sven 'Darkman' Michels
Thomas Seliger