|
|
|
|
| |
| ISS X-Force has learned of the active propagation of a worm that exploits a previously disclosed vulnerability in Secure Sockets Layer 2.0 (SSLv2) handshake process. The worm is a modified derivative of the Apache "Scalper" BSD worm. Current versions of the Slapper worm that are in the wild are targeting Linux servers running Apache with mod_ssl. The worm has distributed denial of service (DDoS) capabilities, as well as backdoor functionality. Netcraft.com reports that over 66% of all active Web servers on the Internet are running Apache. Securityspace.org reports that there are nearly 1.4 million OpenSSL installations on the Internet. |
| |
Credit:
OpenSSL Project:
http://www.openssl.org
ISS X-Force Database:
http://www.iss.net/security_center/static/9714.php
The information has been provided by ISS X-Force.
|
| |
Affected Versions:
OpenSSL versions up to and including 0.9.6d and 0.9.7 beta2
Current versions of the Slapper worm only target the following Linux distributions. The worm may trigger unpredictable results on additional UNIX platforms. Other UNIX platforms, as well as Apache with OpenSSL for Windows may also be vulnerable to the OpenSSL vulnerability.
* Debian Linux 3.0, Apache 1.3.26
* Debian Linux 2.2, Apache 1.3.9
* RedHat Linux 7.0, Apache 1.3.12
* RedHat Linux 7.0 + Apache update from 10/00, Apache 1.3.14
* RedHat Linux (7.1), Apache 1.3.19
* RedHat Linux (7.2), Apache 1.3.20
* RedHat Linux 7.0/7.1/7.2 + either Apache update from 01/02 or 06/02, Apache 1.3.22
* RedHat Linux 7.3, Apache 1.3.23
* SuSE Linux, Apache 1.3.12
* SuSE Linux, Apache 1.3.17
* SuSE Linux, Apache 1.3.19
* SuSE Linux, Apache 1.3.20
* SuSE Linux, Apache 1.3.23
* Mandrake Linux 7.2, Apache 1.3.14
* Mandrake Linux 8.0, Apache 1.3.19
* Mandrake Linux 8.1, Apache 1.3.20
* Mandrake Linux 8.2, Apache 1.3.23
* Slackware Linux 8.1, Apache 1.3.26
* Gentoo Linux (Apache version undetermined)
Impact:
Apache/mod_ssl servers with affected OpenSSL versions are being actively compromised. Once a server is infected, the backdoor can be accessed without any authentication. This may lead to third parties using infected hosts to launch future DDoS attacks. X-Force has received reports that the DDoS capabilities associated with this worm are very powerful, have already been used to attack, and disable high-profile targets. Binary and source code versions of the worm are available and are being actively circulated. Widespread access to the source code of this worm may lead to the development of more powerful variants. Evidence exists of over 12000 infected hosts.
Description:
Mod_ssl is the Apache web server interface to OpenSSL, an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The Slapper worm exploits a buffer overflow in the SSLv2 handshake process using a malformed client master key. The worm actively scans for Apache installations over port 80, attempting to determine the identity of the Linux distribution installed from the "Server:" response-header field.
The worm does not attempt to compromise any servers that do not identify themselves as Apache in the server header response. If the worm identifies an Apache server other than any in a hard-coded list, it will only attempt to launch the exploit for RedHat with Apache 1.3.23. This exploit vector is presumably selected because it corresponds to a default installation of Red Hat version 7.
Once a server is compromised, the worm itself is transmitted to the compromised host in source form. The source code is in compiled and executed. The worm will run under the user id of the Web server process, typically "apache."
The Slapper worm creates a peer-to-peer network of compromised servers and communicates between worm processes on the UDP port 2002. It accepts requests for remote command execution, and has DDoS capabilities including the following:
TCP and TCP/IPv6 flooding:
- Establishes connections to a specified port and then immediately closes the connections.
- Target port is random if specified as 0.
- Length of time to connect flood can be specified.
- No data is sent in the TCP packet payload.
UDP flooding:
- Sends variable length UDP packets with random data to a specified port.
- Target port is random if specified as 0.
- Length of time to send can be specified.
DNS flooding:
- Sends multiple DNS queries for a specified DNS name to a target server.
- Length of time to flood can be specified.
The Slapper worm has the ability to scan a file system for valid email addresses. These addresses are returned to the requesting client over UDP port 10100.
The Slapper worm is known to modify a compromised system in the following manner:
The following files are created on the file system:
/tmp/.bugtraq.c - The source code of the worm.
/tmp/.uubugtraq - The uuencoded version of the source code.
/tmp/.bugtraq - The compiled binary form of the worm.
The binary /tmp/.bugtraq is started and accepts connections on UDP port 2002.
Recommendation:
Any users with installations of OpenSSL up to and including 0.9.6d or 0.9.7beta1 are encouraged to immediately upgrade to the latest version of OpenSSL (currently 0.9.6g).
Administrators should consider one or more of the following temporary workaround solutions to block and/or disable the propagation of the worm:
1) Disabling mod_ssl HTTPS connections completely if unneeded:
Comment the following line in "httpd.conf":
Listen 443
With:
#Listen 443
2) Disable the SSLv2 protocol if unneeded. Locate the SSLCipherSuite directive in httpd.conf.
If it is commented out, uncomment it.
Append ":!SSLv2" to the end of the directive, and remove any portion which may enable SSLv2 such as: ":+SSLv2".
Ensure that other ciphers are correctly configured. For these changes to take effect, the server must be restarted.
3) Administrators should consider disabling all compilers on production or externally facing systems. While this is workaround may not block any future variants, it will block propagation of this worm. Disabling compilers on production systems is a good general security practice.
To disable the worm on an infected host, kill the .bugtraq processes:
killall -9 .bugtraq
Remove the worm files:
rm -f /tmp/.bugtraq /tmp/.uubugtraq /tmp/.bugtraq.c
|
|
|
|
|
|
|
