Description of Problem: openssl is still vulnerable to the Slapper worm. Version-Release number of selected component (if applicable): openssl095a-0.9.5a-18 openssl-devel-0.9.6b-28 openssl-perl-0.9.6b-28 openssl096-0.9.6-13 openssl-0.9.6b-28 How Reproducible: Wait for worm to attempt to infect system. Steps to Reproduce: 1. Wait for worm to attempt to infect system. 2. 3. Actual Results: Expected Results: Additional Information: According to Red Hat advisory RHSA-2002:160-21, this vulnerability is fixed in Red Hat 7.2 with: openssl-0.9.6b-28.i386.rpm openssl-devel-0.9.6b-28.i386.rpm openssl-perl-0.9.6b-28.i386.rpm openssl095a-0.9.5a-18.i386.rpm openssl096-0.9.6-13.i386.rpm I installed these RPMs (except openssl-devel) on my system on Sept 14 and rebooted. Slapper variant C infected my system on Sept 22, and has reinfected multiple times since then. For details on the Slapper worm, see http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21184 http://www.cert.org/advisories/CA-2002-27.html An example entry in the apache error_log records: [Sun Sep 29 10:31:36 2002] [error] [client 195.68.12.211] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sun Sep 29 10:31:46 2002] [error] mod_ssl: SSL handshake failed (server ns2.homenet:443, client 195.68.12.211) (OpenSSL library error follows) [Sun Sep 29 10:31:46 2002] [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143) The timestamp of the error_log entry corresponds with a maillog entry of a successful or failed email to cinik_worm (as described by the ISS.net advisory referenced above. Apache error_log, sendmail maillog, and worm script (/tmp/.cinik.go) are available upon request.
See http://www.redhat.com/support/alerts/linux_slapper_worm.html
Yes, I did read that. I followed those instructions and installed the indicated updates on Sept 14. Slapper variant C infected my computer on Sept 22 and numerous times after, despite having the referenced updates installed. The reinfections only stopped occurring when I blocked port 443. However, that is not a solution. Please see the original description for details.
Are you running a version of Apache that you compiled yourself against your own OpenSSL libraries rather than the default Apache RPM shipped by Red Hat? We have confirmed that the varients of the Slapper worm including Cinik do not affect a system that has had the OpenSSL update applied and the system has been restarted. We have had a few cases of people getting hit by the worm after updating their RPM packages but in every case the user admitted that they did not restart their system after updating the packages.
I am using the RedHat Apache and OpenSSL RPMs. I was sure I had rebooted after the update, but enough time has passed that those logs have been lost. I have rebooted a number of times since blocking port 443. I will unblock the port and monitor it.
I'm going to close this as ERRATA since we've had can't reproduce this and have had no other reports of problems with our errata packages. Please reopen if you have any additional information.