Slapper: The FUD and the Danger
by Steven J.. Vaughan-Nichols
Let me start out by saying that the so-called Linux.Slapper.a
worm is not a Linux worm no matter what the security companies
say. MacOS-X, the BSDs, AIX, HP-UX, Tru64, Solaris, yes even
Windows, are all potentially vulnerable because it's really
a worm that exploits long known holes in older versions of
the OpenSSL module used by many Apache servers and a few versions
of BIND to provide Secure Socket Layer (SSL) connections.
Thus a better name for it is Apache/mod_ssl worm, or Slapper
for short. This isn't an operating system worm, it's an application
worm. For now, the existing worm only deliberately targets
Gentoo, Debian, Red Hat, SuSE and SlackWare Linuxes, but it
will attempt to attack any system it lands on and, it may
be successful. In any case, with a few trivial changes in
the code, the worm could be set to deliberately target other
specific operating systems.
If you simply run Apache without OpenSSL, you're not vulnerable
to infection. If you run Apache with OpenSSL 0.9.6g, which
has been available since August 9th, you can't get it. And,
if you use another SSL module, such as Apache
SSL, guess what? That's right, you can't get it. Right
now, however, it's hard to get the fix from the OpenSSL
site because the site appears to be swamped by people
downloading the new version.
It's possible that there's already a fix for your specific
system. AIX
(login required); Apple;
Caldera/SCO;
Covalent;
Debian;
Gentoo;
NetBSD;
Mandrake
Red
Hat, Solaris
and SuSE
all have available patches. The Internet
Software Company (ISC) recommends BIND 9.1 users to upgrade
to BIND 9.2.x and be certain to link with OpenSSL 09.6g libraries.
Most of these fixes were already available by early August.
The reason we have a problem now is that, once more, some
system administrators, haven't been keeping up with their
security news and updates.
Is Slapper a serious problem? I think so. My Web hosting
company was hit, which in turn meant that for a few hours
on Monday, my Web sites, along with several thousand other
small to medium sized business sites were down. I will give
them credit for isolating the problem and fixing it quickly,
but I'd rather not have seen the problem in the first place.
Objectively, Symantec said on Friday, September 13, that
there was 3,500
infections and since then there are reports of it hitting
7,000+ servers. F-Secure
puts the number even higher at 13,892 infected systems. That's
still a small fraction of Apache servers since only a minority
of Apache servers use OpenSSL and many of those had been properly
updated.
Still, Slapper's a bigger problem than its numbers indicate.
It can, and has been, used to deliver Distributed
Denial of Service (DDoS) attacks using peer-to-peer communications
using UDP over port 2002. While no one has confessed yet to
being the target of a Slapper DDoS attack, the Internet
Storm Center statistics on Slapper indicates that such
attacks are happening.
There are several quick and easy ways to see if you've got
Slapper. The easiest is to look in your temporary files directory,
typically /tmp on Unix systems, and look for the following
files: .bugtraq, .uubugtraq and .bugtraq.c. If you've got
them, you've got it.
If you do have a case, you can apply a temporary fix by following
the instructions
from the Internet Storm Center. For a long term fix, though,
you must update your OpenSSL files and recompile your OpenSSL
applications. For most Web administrators, this will simply
mean using your existing update operating system update functionality
once your vendor has a fix in place.
You can also check to see if you're vulnerable to attacks
on outdated versions of OpenSSL, by using this
program from the Computer Emergency Response Team at Germany's
University of Stuttgart Computing Center (RUS).
Even if you think don't use OpenSSL, it's worth taking this
step since, as the RUS-CERT team notes, "Vendors might
use OpenSSL to implement SSL services, but do not publicize
it."
-30-
|