SuSe: Slapper Worm Advisory
Summary
______________________________________________________________________________
SuSE Security Announcement
Package: openssl/Slapper worm
Announcement-ID: SuSE-SA:2002:033
Date: Thu Sep 19 2002
Affected products: 7.0, 7.1, 7.2, 7.3, 8.0
SuSE Linux Database Server,
SuSE eMail Server III,
SuSE eMail Server 3.1,
SuSE Linux Enterprise Server,
SuSE Linux Firewall on CD,
SuSE Linux Enterprise Server 7
SuSE Linux Office Server
Vulnerability Type: buffer overflow
Severity (1-10): 9
SuSE default package: yes
Cross References: CVE CAN-2002-0655, CAN-2002-0656,
CAN-2002-0659, SuSE-SA:2002:027
Content of this advisory:
1) vulnerabilities in openssl libraries; Slapper worm
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
This advisory is issued in an attempt to clarify any issues
surrounding the recently discovered Apache/mod_ssl worm.
On July 30, we released a security advisory concerning vulnerabilities
in OpenSSL, including a buffer overflow in the SSL code. This
vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory is currently being
exploited by a worm called Slapper, propagating through Apache's
mod_ssl module.
It is worth noting that even though the worm infects Apache through
mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in
the OpenSSL library used by mod_ssl.
This also means that Apache may not be the only service vulnerable
to an attack via the SSL bug. Similar exploits may be possible
against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled
services.
As a workaround, it is also possible to disable SSLv2 in mod_ssl
(as described in our previous advisory SuSE-SA:2002:027; SUSE – Open-Source-Lösungen für Enterprise Server und Cloud | SUSE but you
should be aware that this does not protect other SSL based servers that may be running on your machine.
We have received numerous inquiries from SuSE users on whether the
update packages provided by SuSE as part of SA:2002:027 fix this bug
even though they do not contain the latest OpenSSL version recommended
in various advisories.
To clarify this, we would like to state that these packages DO FIX
the bug exploited by the Slapper worm. Following established policy,
we did this by applying a source code patch instead of upgrading to
a newer version, because the latter usually causes serious problems
for many users (in particular, different versions of OpenSSL libraries
are not always API compatible).
However, it turns out that a number of packages were statically
linked against OpenSSL libraries:
mod_ssl (SuSE Linux 7.0):
We have released rebuilt mod_ssl packages linked against the
most recent OpenSSL libraries.
If you run mod_ssl on SuSE Linux 7.0, you must upgrade mod_ssl,
too.
sendmail-tls (SuSE Linux 7.1, 7.2, 7.3):
Sendmail-tls, the SSL enabled version of sendmail, was linked
statically against OpenSSL on SuSE 7.1, 7.2 and 7.3. The security
impact of this problem is probably the same as with Apache and
mod_ssl.
We are releasing rebuilt packages linked against the most
OpenSSL libraries.
Sendmail-tls is not part of the default installation profile.
If you are using sendmail-tls, we strongly recommend you upgrade
to the latest packages provided on our FTP servers.
openssh (SuSE Linux 7.1, 7.2 and 7.3):
Ssh and sshd do not use any SSL functionality, and thus are not
susceptible to the type of attack carried out by the Slapper worm.
To date, we are not aware of any way to exploit them. We nevertheless
recommend to upgrade to the latest versions provided on our FTP site.
freeswan (SuSE Linux 7.1, 7.2):
FreeSWAN includes a utility named fswcert for creating and
manipulating X.509 certificates, which is also linked statically
against libcrypto.
To date, we are not aware of any way to exploit them. We
nevertheless recommend to upgrade to the latest versions provided
on our FTP site as soon as they become available (2002 Sep 20).
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
mod_php4:
we are preparing an update of mod_php4 addressing various
vulnerabilities that have been published recently.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
References
