Slapper worm targets OpenSSL/Apache systems
| slapper-worm (10098) |  High Risk |
Description:
The Slapper worm has been detected on this system.
Slapper is a worm that exploits a previously disclosed vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process. The worm is a modified derivative of the Apache "Scalper" BSD worm. Current versions of the Slapper worm that are in the wild are targeting Linux servers running Apache with mod_ssl. The worm has distributed denial of service (DDoS) capabilities, as well as backdoor functionality.
Refer to Internet Security Systems Security Alert, September 14, 2002 for more information. See References.
Platforms Affected:
- Apache, HTTP Server 1.3.12
- Apache, HTTP Server 1.3.14
- Apache, HTTP Server 1.3.17
- Apache, HTTP Server 1.3.19
- Apache, HTTP Server 1.3.20
- Apache, HTTP Server 1.3.23
- Apache, HTTP Server 1.3.26
- Apache, HTTP Server 1.3.6
- Apache, HTTP Server 1.3.9
- Debian, Debian Linux
- Gentoo, Linux
- MandrakeSoft, Mandrake Linux
- RedHat, Linux
- Slackware, Slackware Linux
- SuSE, SuSE Linux
Remedy:
Any users with installations of OpenSSL up to and including 0.9.6d or 0.9.7beta1 are encouraged to immediately upgrade to the latest version of OpenSSL (currently 0.9.6g).
Administrators should consider one or more of the following temporary workaround solutions to block and/or disable the propagation of the worm:
- Disabling mod_ssl HTTPS connections completely if unneeded:
Comment the following line in "httpd.conf":
Listen 443
to appear as:
#Listen 443 - Disable the SSLv2 protocol if unneeded. Locate the SSLCipherSuite directive in httpd.conf.
If it is commented out, uncomment it.
Append ":!SSLv2" to the end of the directive, and remove any portion that may enable SSLv2, such as: ":+SSLv2".
Ensure that other ciphers are correctly configured. For these changes to take effect, the server must be restarted. - Administrators should consider disabling all compilers on production or externally facing systems. While this is workaround may not block any future variants, it will block propagation of this worm. Disabling compilers on production systems is a good general security practice.
- To disable the worm on an infected host, kill the .bugtraq processes:
killall -9 .bugtraq
Remove the worm files:
rm -f /tmp/.bugtraq /tmp/.uubugtraq /tmp/.bugtraq.c
Consequences:
Denial of Service
References:
- BugTraq Mailing List, Thu Oct 03 2002 - 14:37:31 CDT , Cisco Secure Content Accelerator vulnerable to SSL worm at http://archives.neohapsis.com/archives/bugtraq/2002-10/0066.html.
- CERT Advisory CA-2002-27, Apache/mod_ssl Worm at http://www.cert.org/advisories/CA-2002-27.html.
- CIAC Information Bulletin M-125, Apache/mod_ssl Worm at http://www.ciac.org/ciac/bulletins/m-125.shtml.
- IBM Internet Security Systems X-Force Database, OpenSSL SSL2 master key buffer overflow at http://xforce.iss.net/xforce/xfdb/9714.
- Internet Security Systems Security Alert, September 14, 2002, "Slapper" OpenSSL/Apache Worm Propagation at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21130.
- CVE-1999-0660: A hacker utility, back door, or Trojan Horse is installed on a system, e.g. NetBus, Back Orifice, Rootkit, etc.
Reported:
Sep 13, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net