RE: [suse-security] Linux/Slapper.worm
The answer is a simple YES. By the way, there is no guessing about it. The note in advisory CA-2002-27 includes the statement: The Apache/mod_ssl worm is self-propagating malicious code that exploits the OpenSSL vulnerability described in VU#102795. This vulnerability was the among the topics discussed in CA-2002-23 Multiple Vulnerabilities In OpenSSL. The SuSE announcement for SSL says it fixes the bug in CA-2002-23. Therefore, these are the correct patches and THERE IS NO GUESSING about it. Sorry, but these email were really dragging out for no good reason if the announcements were properly read. Jim
Miguel Albuquerque wrote:
Slapper is using an OpenSSL mod_ssl exploit reported and patched at http://www.openssl.org/news/secadv_20020730.txt.
The security update openssl release 20020812 by SuSE fixes the problem? Thanx
Olaf replied:
It does.
Olaf
I want to be absolutely sure I know what I'm doing here.
The only recent ssl-related advisories I see in the SuSE archive are these:
July 30: http://lists2.suse.com/archive/suse-security-announce/2002-Jul/0003.html July 31: http://lists2.suse.com/archive/suse-security-announce/2002-Jul/0004.html
The July 30 advisory provides links to openssl rpms that appear, based on the names, to range from 0.9.5a to 9.9.6e, depending on which level of SuSE you are on. The CERT advisory says you need 0.9.6e or newer. Now I know SuSE often patches old versions to simplify dependency implications. But I don't want to make a bad assumption here. So I am looking for definitive information:
The CERT advisory for slapper:
http://www.cert.org/advisories/CA-2002-27.html
says that slapper exploits vulnerability VU#102795:
http://www.kb.cert.org/vuls/id/102795
which labels this vulnerability as CERT Advisory CA-2002-23, and CVE Name CAN-2002-0656. This matches one of the cross-referenced vulnerabilities on the SuSE July 30 advisory:
http://lists2.suse.com/archive/suse-security-announce/2002-Jul/0003.html
Based on this, my guess (I hate having to guess about this!) is that all of the rpm's linked in the July 30 advisory have been patched by SuSE and contain the fix needed to overcome the vulnerability (VU#102795) exploited by slapper, despite the confusing names of those openssl versions. Therefore, applying the listed rpm designated for my version of SuSE will protect me from the slapper worm. Is this correct?
Many thanks for your excellent work in fixing these things.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello all i am very confused ...! I need only a new rpm version of mod_ssl.rpm from SuSE ? I need only a new rpm version of apache ? In which version (7.3 or and 8.0) of SuSE are a new package available ? I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after installing i have also a vulnerable version mod_ssl ! Doesn´t interessting this vulnerable of OpenSSL the SuSE Support ? I can´t find some information about this vulnerable on SuSE Support Side. How many server must be infected, so that SuSE brings out some new updates for eliminate this big exploit ? I have some Webserver installed in the Internet and i don´t know what must i do for this problem ! I have SuSE 7.3 and 8.0 (native with Apache and SSL... what must i do now SuSE ( Step by Step ) ????? The support is absolute bad for misinformation and something else.
The answer is a simple YES.
By the way, there is no guessing about it. The note in advisory CA-2002-27 includes the statement: The Apache/mod_ssl worm is self-propagating malicious code that exploits the OpenSSL vulnerability described in VU#102795. This vulnerability was the among the topics discussed in CA-2002-23 Multiple Vulnerabilities In OpenSSL.
The SuSE announcement for SSL says it fixes the bug in CA-2002-23.
------------------------- Mit freundlichen Grüßen Joachim Hummel
Joachim Hummel wrote:
I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after installing i have also a vulnerable version mod_ssl !
Who says this? The flaw is in the package openssl. What mod_ssl vulnerability are you talking about?
Doesn?t interessting this vulnerable of OpenSSL the SuSE Support ?
They care and they have already packaged updates.
I can?t find some information about this vulnerable on SuSE Support Side.
http://www.suse.de/de/business/security.html
I have SuSE 7.3 and 8.0 (native with Apache and SSL... what must i do now SuSE ( Step by Step ) ?????
Yast2 -> Software -> Online Update Automatic Update -> Next
The support is absolute bad for misinformation and something else.
What support? This mailinglist? Have you even considered http://www.suse.de/de/business/services/support/ ? Peter
Peter Wiersig sagte:
Joachim Hummel wrote:
I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after installing i have also a vulnerable version mod_ssl !
Who says this? The flaw is in the package openssl. What mod_ssl vulnerability are you talking about?
Copy from SecurityFocus.com: The OpenSSL server vulnerability exploit exists on a wide variety of platforms, but Slapper appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures. Mod_SSL or OpenSSL ? I don´t unterstand this ?? OpenSSL is standalone application ! SSL with Apache works only with file /usr/lib/apache/libssl.so SSL with Apache works only with file /usr/lib/apache/libcrypto.so Apache doesn´t work with /usr/sbin/openssl libssl.so is included in mod_ssl.rpm package ! I can´t find any ssl version of 0.9.6.e or 0.9.6.g this is recommended of securityfocus.com I was compiled a new OpenSSL after restart apache works again the old vulnerable version of openssl.
Doesn?t interessting this vulnerable of OpenSSL the SuSE Support ?
They care and they have already packaged updates.
NO.. !! This is older version as recommended version of 0.9.6.e
I can?t find some information about this vulnerable on SuSE Support Side.
This say nothing !
I have SuSE 7.3 and 8.0 (native with Apache and SSL... what must i do now SuSE ( Step by Step ) ?????
Yast2 -> Software -> Online Update Automatic Update -> Next
i make this ....Installed vulnerably version 0.9.6.c This helps very good !!! Copy of SecurityFocus.com ! The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed beginning with OpenSSL version 0.9.6e. Administrators may want to upgrade to the latest version as of this writing the latest version of OpenSSL is 0.9.6g. -- Mit freundlichen Grüßen Joachim Hummel
On Wed, Sep 18, 2002 at 02:54:12PM +0200, Joachim Hummel wrote:
Copy from SecurityFocus.com: The OpenSSL server vulnerability exploit exists on a wide variety of platforms, but Slapper appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures.
It's easy, if you look at how things work: - apache uses mod_ssl - mod_ssl uses OpenSSL - OpenSSL has a buffer overflow So yes, everyone is talking about the "Apache/mod_ssl" worm because that's how it propagates. But the vulnerability is at a layer below that; any other service using OpenSSL's SSL implementation could probably used to propagate the worm as well (anybody out there running webmin?) So: You upgrade OpenSSL, the buffer overflow is gone, everyone is happy. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Wednesday 18 September 2002 08:15, Olaf Kirch wrote:
On Wed, Sep 18, 2002 at 02:54:12PM +0200, Joachim Hummel wrote:
Copy from SecurityFocus.com: The OpenSSL server vulnerability exploit exists on a wide variety of platforms, but Slapper appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architectures.
It's easy, if you look at how things work:
- apache uses mod_ssl - mod_ssl uses OpenSSL - OpenSSL has a buffer overflow
So yes, everyone is talking about the "Apache/mod_ssl" worm because that's how it propagates. But the vulnerability is at a layer below that; any other service using OpenSSL's SSL implementation could probably used to propagate the worm as well (anybody out there running webmin?)
So: You upgrade OpenSSL, the buffer overflow is gone, everyone is happy.
Or disable mod_ssl if you don't need it ;)
Olaf
On Sep 18, Joachim Hummel
Mod_SSL or OpenSSL ? I donŽt unterstand this ?? OpenSSL is standalone application ! SSL with Apache works only with file /usr/lib/apache/libssl.so SSL with Apache works only with file /usr/lib/apache/libcrypto.so
I canŽt find any ssl version of 0.9.6.e or 0.9.6.g this is recommended of securityfocus.com SuSE provides fixed updates of the version that has been delivered with
markus@dynast:/usr/lib/apache > ldd libssl.so libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x00142000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x00170000) libc.so.6 => /lib/libc.so.6 (0x00231000) libdl.so.2 => /lib/libdl.so.2 (0x00344000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000) markus@dynast:/usr/lib/apache > rpm -qf /usr/lib/libssl.so.0.9.6 openssl-0.9.6a-67 As you see, libssl from mod_ssl links to libssl from openssl. the release of the product to keep other packages that are binary dependend intact.
They care and they have already packaged updates. NO.. !! This is older version as recommended version of 0.9.6.e Stop moaning around. See http://www.suse.de/de/security/2002_027_openssl.html for more information. SuSE 8.0 gets updates with 0.9.6c, 7.3 with 0.9.6b
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
Hi! On Wed, Sep 18, 2002 at 02:54:12PM +0200, Joachim Hummel wrote:
I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after installing i have also a vulnerable version mod_ssl !
Aha? How do you know?
Mod_SSL or OpenSSL ? I don´t unterstand this ?? OpenSSL is standalone application !
It is also used, as library, by other applications.
SSL with Apache works only with file /usr/lib/apache/libssl.so
Right.
SSL with Apache works only with file /usr/lib/apache/libcrypto.so
There is no such file, you likely mean /usr/lib/libcrypto.so. It is one of the openssl libraries used by other applications by dynamically loading it.
Apache doesn´t work with /usr/sbin/openssl
/usr/sbin/openssl is in principal just another application using the openssl lib.
libssl.so is included in mod_ssl.rpm package !
Yes, it is the apache module (also a library, that is dynamically loaded at runtime as a shared object). However, this lib again loads another library at runtime -- the openssl lib. Run ldd /usr/lib/apache/libssl.so to verify! It will report something like this: libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x40046000) libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40076000) libc.so.6 => /lib/libc.so.6 (0x4014d000) libdl.so.2 => /lib/libdl.so.2 (0x4026d000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x80000000) showing that the openssl libs are linked dynamically. As a consequence, when your openssl package is not vulnerable, your mod_ssl isn't either.
I can´t find any ssl version of 0.9.6.e or 0.9.6.g this is recommended of securityfocus.com
Yes, there is no reason and no nedd to do risky updates from an (up to) two year old openssl version to the newest one which could break half of your system. Times change, compilers and other tools as well as their usage changes... Look at the openssl changelog alone, and see how much has changed there since then! Really, all you want is a fix for that given security vulnerability, i.e. an appropriate source code patch. Guess what, we add such patches to our packages :) yes, and that's why we send out those fancy announcements... Now how do you know that we REALLY fixed an issue (provided that you do not trust us at all)? I'll post a short "HowTo" to this list (in seperate mail so it is easier to find in the archives).
Copy of SecurityFocus.com ! The vulnerability exploited by the Slapper (Apache/mod_ssl) worm was fixed beginning with OpenSSL version 0.9.6e. Administrators may want to upgrade to the latest version as of this writing the latest version of OpenSSL is 0.9.6g.
One more word on annoncements like this. Of course most software vendors recommend to update to their latest version. Simply because most vendors/teams/developers can't or don't want to go through the effort of providing patches for older versions (because this can be a lot of work) and doing the necessary testing (more work). Thus, often it is us who make the missing patches and provide them to the community. Also, in close collaboration with software vendors/teams, we often have the opportunity to fix our packages _before_ a vulnerability becomes publicly known, which can mean _before_ a given fixed version of that software is released at all. For example, openssl 0.9.6g was not born when we fixed our packages! I hope we can clear the confusion. Peter -- Thought is limitation. Free your mind.
Sometimes on this list folks express doubts whether a package contains a certain fix or not. Even if the security announcements say the packages are not vulnerable, they want to know for sure. Looking at the version number of the package is most likely not enough to be sure... but how then? How to look "into" the packages? I thought I'd write up a short howto and post it here. How to find out what HAS been changed: 1) get the original source RPM as distributed on the CDs ("zq" or "src" directory) 2) get the "fixed" package (see the security announcement, it contains the link to where to find it.) 3) compare the changelogs of the packages: rpm -qp --changelog /path/to/old.rpm > /tmp/old.changes rpm -qp --changelog /path/to/new.rpm > /tmp/new.changes diff -u /tmp/old.changes /tmp/new.changes | grep "^+" 3) compare the file lists (just for an overview): /usr/lib/rpm/rpmdiff /path/to/old.rpm /path/to/new.rpm This step would very likely show you that a patch file that has been added. 4) to look further, unpack the source RPMs: mkdir old; ( cd old; rpm2cpio /path/to/old.rpm | cpio -i --make-directories ) mkdir new; ( cd new; rpm2cpio /path/to/new.rpm | cpio -i --make-directories ) 5) compare the two directories: diff -uNr old new | less or diff -uNr old new | view - -c "syntax on" if you like it colorful. Or, pipe it into diffstat, or print it out via pdiff :-) How to find out what SHOULD have been changed: 6) get the most recent sources (i.e. the fixed version) of, for example, openssl. 7) get the second most recent sources (the vulnerable version). 8) untar both of them. 9) read and compare the ChangeLog or CHANGES files (or a similar file). 10) run a recursive diff about the two source directories to review the changes. Taking this even further, to really verify that the vulnerability is gone, you need a testcase (an exploit). Anyway, your picture about the packages should be complete by then, and all your doubts hopefully gone. For remaining questions you could contact this list (suse-security@suse.com). In case of serious concerns you should contact the SuSE Security Team directly, writing to security@suse.de. Hope this helps, Peter -- Thought is limitation. Free your mind.
On Wednesday 18 September 2002 10:58, Peter Poeml wrote:
Sometimes on this list folks express doubts whether a package contains a certain fix or not. Even if the security announcements say the packages are not vulnerable, they want to know for sure. Looking at the version number of the package is most likely not enough to be sure... but how then? How to look "into" the packages?
I thought I'd write up a short howto and post it here.
I just wanted to post on-list a big thanks to you and the rest of the security team for helping the paranoid folks of the world how to not trust you. :) Honestly, that's a good thing, because people can verify for themselves that something was done to fix the problem, and to the really paranoid, look for the fix themselves. I sure know that you can get no FAQ or similar from any closed dource company, where you're forced to trust them, and your usually handed a new rev with other changes along with the security fix. For the really security paranoid folks, there are methods of ensuring that the fix was apllied, and possibly more importantly, ONLY that fix was applied. Of course, for the slightly less paranoid, we just -Uvh the binary and keep on going. However, it gives me a lot of piece of mind that I have ultimate control on the security and safety of my system: if I don't trust you, I can verify that you've done your job. Not that I'd ever have to, mind you. A big thanks to the SuSE security team! Donavan Pantke
Yup, Peter Poeml wrote: [...]
I can´t find any ssl version of 0.9.6.e or 0.9.6.g this is recommended of securityfocus.com
Yes, there is no reason and no nedd to do risky updates from an (up to) two year old openssl version to the newest one which could break half of your system. Times change, compilers and other tools as well as their usage changes... Look at the openssl changelog alone, and see how much has changed there since then! Really, all you want is a fix for that given security vulnerability, i.e. an appropriate source code patch. Guess what, we add such patches to our packages :) yes, and that's why we send out those fancy announcements...
[...] For the record, I have manually updated about three dozen *nix boxes' openssl/Apache now, and it's definitely no problem to switch from an older openssl to 0.9.6e or g. The only cricital thing is to choose the correct SSL patch ("FixPatch") for the corresponding Apache and openssl versions. Needless to say that I ran numerous tests to ensure that the new versions work as expected. Of course it's definitely more convenient/safe to do these updates via RPM/You, I don't want to encourage anyone to wreck their systems.
Peter
Boris ---
[...]
For the record, I have manually updated about three dozen *nix boxes' openssl/Apache now, and it's definitely no problem to switch from an older openssl to 0.9.6e or g. The only cricital thing is to choose the correct SSL patch ("FixPatch") for the corresponding Apache and openssl versions.
Needless to say that I ran numerous tests to ensure that the new versions work as expected.
We have run these tests at our consumer's systems a long while ago when we tried this one time. We have learned, it causes severe pain and we will not do this again. Trust me. According to the book, it should work, but it doesn't. There are a few hundred packages that depend on openssl. You will have to test them all from a new, or recompile. All of them.
Of course it's definitely more convenient/safe to do these updates via RPM/You, I don't want to encourage anyone to wreck their systems.
Please don't. :-|
Peter
Boris
Roman.
Yohei, Roman Drahtmueller wrote: [...]
Trust me. According to the book, it should work, but it doesn't. There are a few hundred packages that depend on openssl. You will have to test them all from a new, or recompile. All of them.
I trust you. All others have to pay cash. I know I shouldn't make suggestions about installing software from source packages on this list. *slaps own hands* ;-) Boris ---
On Wednesday 18 September 2002 05:54, Joachim Hummel wrote:
Mod_SSL or OpenSSL ? I don´t unterstand this ?? OpenSSL is standalone application !
http://httpd.apache.org/docs-2.0/ssl/ The Apache HTTP Server module mod_ssl provides an interface to the OpenSSL library, which provides Strong Encryption using the Secure Sockets Layer and Transport Layer Security protocols. /Thomas -- thomas@northernsecurity.net | www.northernsecurity.net thomas@se.linux.org | www.se.linux.org
On Wed, Sep 18, 2002 at 03:11:48PM -0700, Thomas Sjögren wrote:
On Wednesday 18 September 2002 05:54, Joachim Hummel wrote:
Mod_SSL or OpenSSL ? I don´t unterstand this ?? OpenSSL is standalone application !
http://httpd.apache.org/docs-2.0/ssl/ The Apache HTTP Server module mod_ssl provides an interface to the OpenSSL library, which provides Strong Encryption using the Secure Sockets Layer and Transport Layer Security protocols.
/Thomas -- thomas@northernsecurity.net | www.northernsecurity.net thomas@se.linux.org | www.se.linux.org
I wish that SuSE would provide a configuration option that would bind apache of local help servers to the localhost and/or the local internet connection. That way those of us who use appache would not have to run a complicated firewall or configure the appache files our selves to be safe from this kind of thing, when all we want is a little local help. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
On Wed, Sep 18, 2002 at 09:34:27AM -0500, Paul Elliott wrote:
I wish that SuSE would provide a configuration option that would bind apache of local help servers to the localhost and/or the local internet connection. That way those of us who use appache would not have to run a complicated firewall or configure the appache files our selves to be safe from this kind of thing, when all we want is a little local help.
But we do that -- if you configure the DOC_SERVER it will run on localhost only, unless you change the ACL. By the way, if you want to be vulnerable against the discussed issue, you must have configured an SSL server on your own ;) Peter -- Thought is limitation. Free your mind.
Joachim Hummel wrote:
Hello all
i am very confused ...! I need only a new rpm version of mod_ssl.rpm from SuSE ? I need only a new rpm version of apache ? In which version (7.3 or and 8.0) of SuSE are a new package available ? I can find only mod_ssl from 30.Juli 2002 for SuSE 8.0 z.B. and after installing i have also a vulnerable version mod_ssl ! Doesn´t interessting this vulnerable of OpenSSL the SuSE Support ? I can´t find some information about this vulnerable on SuSE Support Side.
How many server must be infected, so that SuSE brings out some new updates for eliminate this big exploit ?
I have some Webserver installed in the Internet and i don´t know what must i do for this problem !
I have SuSE 7.3 and 8.0 (native with Apache and SSL... what must i do now SuSE ( Step by Step ) ?????
The support is absolute bad for misinformation and something else.
Now, it sounds like panic... Take a look at http://www.suse.com/us/private/download/updates/index.html and you'll find what you're looking for (in english). Check the Security Announcements. Might be useful if you know what are you doing: unless you run a web server by inspiration, I'd say you should know what are you doing. The support is great. You just have to know how to use. ;-) -- .-. SECNeT /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND Tel: +41 (22) 782 5344 Fax: +41 (22) 782 5348 mailto:mfoacs@e-workshop.ch http://mfoacs.e-workshop.ch
participants (13)
-
bliss@attbi.com
-
Boris Lorenz
-
Donavan Pantke
-
Joachim Hummel
-
Marcel Erkens
-
Markus Gaugusch
-
Miguel Albuquerque
-
Olaf Kirch
-
Paul Elliott
-
Peter Poeml
-
Peter Wiersig
-
Roman Drahtmueller
-
Thomas Sjögren