Red Hat Bugzilla – Bug 76166
openssl still vulnerable to Slapper worm
Last modified: 2007-03-26 23:57:53 EDT
Description of Problem:
openssl is still vulnerable to the Slapper worm.
Version-Release number of selected component (if applicable):
Wait for worm to attempt to infect system.
Steps to Reproduce:
1. Wait for worm to attempt to infect system.
According to Red Hat advisory RHSA-2002:160-21, this vulnerability
is fixed in Red Hat 7.2 with:
I installed these RPMs (except openssl-devel) on my system on
Sept 14 and rebooted. Slapper variant C infected my system on
Sept 22, and has reinfected multiple times since then.
For details on the Slapper worm, see
An example entry in the apache error_log records:
[Sun Sep 29 10:31:36 2002] [error] [client 188.8.131.52] client sent HTTP/1.1
request without hostname (see RFC2616 section 14.23): /
[Sun Sep 29 10:31:46 2002] [error] mod_ssl: SSL handshake failed (server
ns2.homenet:443, client 184.108.40.206) (OpenSSL library error follows)
[Sun Sep 29 10:31:46 2002] [error] OpenSSL:
The timestamp of the error_log entry corresponds with a maillog entry
of a successful or failed email to email@example.com (as described
by the ISS.net advisory referenced above.
Apache error_log, sendmail maillog, and worm script (/tmp/.cinik.go)
are available upon request.
Yes, I did read that. I followed those instructions and installed the indicated
updates on Sept 14. Slapper variant C infected my computer on Sept 22 and
numerous times after, despite having the referenced updates installed. The
reinfections only stopped occurring when I blocked port 443. However, that is
not a solution.
Please see the original description for details.
Are you running a version of Apache that you compiled yourself against your own
OpenSSL libraries rather than the default Apache RPM shipped by Red Hat?
We have confirmed that the varients of the Slapper worm including Cinik do not
affect a system that has had the OpenSSL update applied and the system has been
restarted. We have had a few cases of people getting hit by the worm after
updating their RPM packages but in every case the user admitted that they did
not restart their system after updating the packages.
I am using the RedHat Apache and OpenSSL RPMs.
I was sure I had rebooted after the update, but
enough time has passed that those logs have been
lost. I have rebooted a number of times since
blocking port 443. I will unblock the port and
I'm going to close this as ERRATA since we've had can't reproduce this and have
had no other reports of problems with our errata packages. Please reopen if you
have any additional information.