Bug 76166 - openssl still vulnerable to Slapper worm
openssl still vulnerable to Slapper worm
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: openssl (Show other bugs)
7.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-10-17 15:09 EDT by Edward Burr
Modified: 2007-03-26 23:57 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-01-17 09:33:54 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Edward Burr 2002-10-17 15:09:40 EDT
Description of Problem:
openssl is still vulnerable to the Slapper worm.

Version-Release number of selected component (if applicable):
openssl095a-0.9.5a-18
openssl-devel-0.9.6b-28
openssl-perl-0.9.6b-28
openssl096-0.9.6-13
openssl-0.9.6b-28

How Reproducible:
Wait for worm to attempt to infect system.

Steps to Reproduce:
1. Wait for worm to attempt to infect system.
2. 
3. 

Actual Results:


Expected Results:


Additional Information:

According to Red Hat advisory RHSA-2002:160-21, this vulnerability 
is fixed in Red Hat 7.2 with:
   openssl-0.9.6b-28.i386.rpm
   openssl-devel-0.9.6b-28.i386.rpm
   openssl-perl-0.9.6b-28.i386.rpm
   openssl095a-0.9.5a-18.i386.rpm
   openssl096-0.9.6-13.i386.rpm
I installed these RPMs (except openssl-devel) on my system on 
Sept 14 and rebooted. Slapper variant C infected my system on 
Sept 22, and has reinfected multiple times since then.

For details on the Slapper worm, see
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184
http://www.cert.org/advisories/CA-2002-27.html

An example entry in the apache error_log records:
[Sun Sep 29 10:31:36 2002] [error] [client 195.68.12.211] client sent HTTP/1.1 
request without hostname (see RFC2616 section 14.23): /
[Sun Sep 29 10:31:46 2002] [error] mod_ssl: SSL handshake failed (server 
ns2.homenet:443, client 195.68.12.211) (OpenSSL library error follows)
[Sun Sep 29 10:31:46 2002] [error] OpenSSL: 
error:1406908F:lib(20):func(105):reason(143)

The timestamp of the error_log entry corresponds with a maillog entry
of a successful or failed email to cinik_worm@yahoo.com (as described
by the ISS.net advisory referenced above.

Apache error_log, sendmail maillog, and worm script (/tmp/.cinik.go)
are available upon request.
Comment 1 Mark J. Cox (Product Security) 2002-10-23 11:39:09 EDT
See http://www.redhat.com/support/alerts/linux_slapper_worm.html
Comment 2 Edward Burr 2002-10-23 21:28:11 EDT
Yes, I did read that. I followed those instructions and installed the indicated
updates on Sept 14. Slapper variant C infected my computer on Sept 22 and
numerous times after, despite having the referenced updates installed. The
reinfections only stopped occurring when I blocked port 443. However, that is
not a solution.
Please see the original description for details.
Comment 3 Mark J. Cox (Product Security) 2002-12-03 07:30:10 EST
Are you running a version of Apache that you compiled yourself against your own
OpenSSL libraries rather than the default Apache RPM shipped by Red Hat?

We have confirmed that the varients of the Slapper worm including Cinik do not
affect a system that has had the OpenSSL update applied and the system has been
restarted.  We have had a few cases of people getting hit by the worm after
updating their RPM packages but in every case the user admitted that they did
not restart their system after updating the packages.
Comment 4 Edward Burr 2002-12-03 09:23:12 EST
I am using the RedHat Apache and OpenSSL RPMs.
I was sure I had rebooted after the update, but
enough time has passed that those logs have been
lost. I have rebooted a number of times since 
blocking port 443. I will unblock the port and
monitor it.
Comment 5 Mark J. Cox (Product Security) 2003-01-17 09:33:54 EST
I'm going to close this as ERRATA since we've had can't reproduce this and have
had no other reports of problems with our errata packages.  Please reopen if you
have any additional information.

Note You need to log in before you can comment on or make changes to this bug.