Date: 14 September 2002
References: ESB-2002.506 ESB-2002.508
Click here for printable version
CORRECTION - Some web links in e-mail that were meant to be for the AusCERT Training course "Windows Intrusion Prevention Workshop" were accidentally mis-typed and directed here.
The correct URL is http://www.auscert.org.au/2408 We apologise for any inconvenience this may have caused.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2002.11 -- AUSCERT ALERT
Apache/mod_ssl Worm
14 September 2002
===========================================================================
PROBLEM:
A worm in the wild is currently exploiting Apache web servers using
the OpenSSL vulnerability described in AusCERT Advisory AA-2002.06.
The worm, referred to as the the Apache/mod_ssl worm or the
Linux.Slapper.Worm, is currently exploiting Linux hosts on Intel
i386 architecture, however the worm has the potential to affect any
platform utilising the vulnerable version of OpenSSL.
This worm is different from the Apache Worm as described in AusCERT
Alert AL-2002.06
No attacks against Australian web servers have been reported to
AusCERT at this time, however exploits are being reported overseas
and Australian IP addresses are listed as targets in the source
code, so it is possible that Australian hosts may be already
compromised.
AusCERT recommends that members follow the steps under "MITIGATION"
below as soon as possible.
PLATFORM:
While Linux hosts running Apache are currently being targeted by
the worm, any host running OpenSSL 0.9.6d or earlier (including
pre-release 0.9.7-beta2 or earlier) is vulnerable to the buffer
overflows in OpenSSL.
IMPACT:
A partial list of impacts from this worm are:
o Execute arbitrary code on the host
o Execute denial of service attacks using TCP or UDP
o Execute denial of service attacks using DNS
DETAILS:
At this time, it appears that the Apache/mod_ssl worm exploits the
buffer overflow in SSLv2 handshakes discovered in OpenSSL 0.9.6d
and earlier.
The worm currently verifies the version of Apache before
attempting the exploit. Upon gaining access to the host, it
creates the file "/tmp/.bugtraq.c" and attempts to compile it
with gcc. Once compiled and executed, this program acts as a
denial of service tool and uses port 2002/udp to send and
receive instructions for further attacks.
The existence of the file "/tmp/.bugtraq.c" or the following
Apache error log entries may indicate a successful compromise:
[error] [client xx.xx.xx.xx client sent HTTP/2.1 request without
hostname (see RFC2616 section 14.23): /
[error] mod_ssl: SSL handshake failed (server xx.xx.xx.xx:443,
client xx.xx.xx.xx) (OpenSSL library error follows)
[error] OpenSSL: error:1406908F:SSL routines:GET_CLIENT_FINISHED:
connection id is different
[error] mod_ssl: SSL handshake timed out (client xx.xx.xx.xx,
server xx.xx.xx.xx:443)
MITIGATION:
o Upgrade to the latest stable version of OpenSSL, which is
0.9.6g as of this writing.
o If you are unable to upgrade OpenSSL, you may wish to consider
disabling SSLv2 or all SSL functionality in Apache. Before
disabling SSL services, carefully consider the impact this may
have on your service requirements. Note that some older web
browsers may require SSLv2.
Disabling SSLv2 can be done by adding or modifying the following
lines in the Apache configuration file (commonly httpd.conf):
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP:+eNULL
SSLProtocol all -SSLv2
Note the only change required for SSLCipherSuite is -SSLv2
o Modify the Apache configuration to limit the amount of server
information displayed. Using the following line will restrict
Apache from displaying the version number:
ServerTokens ProductOnly
o Monitor your network for traffic on port 2002/udp, which may
indicate a compromised host.
REFERENCES:
Symantec Security Response
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html
mod_ssl Documentation - HowTo
http://www.modssl.org/docs/2.8/ssl_howto.html
AusCERT Advisory AA-2002.06 - OpenSSL Vulnerabilities
http://www.auscert.org.au/Information/Advisories/advisory/AA-2002.06.txt
CERT Advisory CA-2002-23 - Multiple Vulnerabilities In OpenSSL
http://www.cert.org/advisories/CA-2002-23.html
AusCERT Alert AL-2002.06 - Apache Worm
http://www.auscert.org.au/Information/Advisories/advisory/AL-2002.06.txt
AusCERT will continue to monitor this issue, and provide more
information as it becomes available.
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPYNtIyh9+71yA2DNAQHZCQQAguYVKcWQe2pIyTLzX9PQcj8doUC6lYRD
VjEQQ5eC88CxuOg1n8IKlgEAdkeSS4J6jJHcfpfc0VMkowAlpDeWL0clG2yrRjS0
v51ZM7cmLBD4gWFNwPyEfpePk/6SqW+mc4bTsdpuio4Jz1PAQQg//cR6Te7COcAA
4+XNyjlMv5w=
=75Pk
-----END PGP SIGNATURE-----
This Alert was made available to non-members on 10 October 2002.
|