[Computer-liaisons] [Fwd: [Web-admins-l] CERT Advisory CA-2002-27 Apache/mod_ssl Worm]
Adler, Stephen
adler at bnl.gov
Wed Sep 18 10:12:22 EDT 2002
For all you who are running web servers, please be aware of this
worm. If your server run redhat and is registered with the
red hat network and is up2date, then you shouldn't have to worry,
unless you've done your own tweeking of the server or modules
it loads.
Steve.
-----Forwarded Message-----
> From: "Metz, Christine" <cmetz at bnl.gov>
> To: web-admins-l at lists.bnl.gov, dba-admin-l at lists.bnl.gov
> Subject: [Web-admins-l] CERT Advisory CA-2002-27 Apache/mod_ssl Worm
> Date: 18 Sep 2002 10:12:13 -0400
>
> > -----Original Message-----
> > From: CERT Advisory [mailto:cert-advisory at cert.org]
> > Sent: Saturday, September 14, 2002 3:35 PM
> > To: cert-advisory at cert.org
> > Subject: CERT Advisory CA-2002-27 Apache/mod_ssl Worm
> >
> >
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> >
> > CERT Advisory CA-2002-27 Apache/mod_ssl Worm
> >
> > Original release date: September 14, 2002
> > Last revised: --
> > Source: CERT/CC
> >
> > A complete revision history can be found at the end of this file.
> >
> > Systems Affected
> >
> > * Linux systems running Apache with mod_ssl accessing
> > SSLv2-enabled
> > OpenSSL 0.9.6d or earlier on Intel x86 architectures
> >
> > Overview
> >
> > The CERT/CC has received reports of self-propagating
> > malicious code
> > which exploits a vulnerability (VU#102795) in OpenSSL.
> > This malicious
> > code has been referred to as Apache/mod_ssl worm,
> > linux.slapper.worm
> > and bugtraq.c worm.
> >
> > I. Description
> >
> > The Apache/mod_ssl worm is self-propagating malicious
> > code that
> > exploits the OpenSSL vulnerability described in VU#102795.
> >
> > http://www.kb.cert.org/vuls/id/102795
> >
> > This vulnerability was the among the topics discussed in CA-2002-23
> > "Multiple Vulnerabilities In OpenSSL".
> >
> > http://www.cert.org/advisories/CA-2002-23.html
> >
> > While this OpenSSL server vulnerability exists on a wide variety of
> > platforms, the Apache/mod_ssl worm appears to work only on Linux
> > systems running Apache with the OpenSSL module (mod_ssl) on Intel
> > architectures.
> >
> > The Apache/mod_ssl worm scans for potentially
> > vulnerable systems on
> > 80/tcp using an invalid HTTP GET request.
> >
> > GET /mod_ssl:error:HTTP-request HTTP/1.0
> >
> > When an Apache system is detected, it attempts to send
> > exploit code to
> > the SSL service via 443/tcp. If successful, a copy of
> > the malicious
> > source code is then placed on the victim server, where
> > the attacking
> > system tries to compile and run it. Once infected, the
> > victim server
> > begins scanning for additional hosts to continue
> > the worm's
> > propagation.
> >
> > Additionally, the Apache/mod_ssl worm can act as an
> > attack platform
> > for distributed denial-of-service (DDoS) attacks against
> > other sites
> > by building a network of infected hosts. During the
> > infection process,
> > the attacking host instructs the newly-infected victim
> > to initiate
> > traffic on 2002/udp back to the attacker. Once this
> > communications
> > channel has been established, the infected system becomes
> > part of the
> > Apache/mod_ssl worm's DDoS network. Infected hosts
> > can then share
> > information on other infected systems as well as attack
> > instructions.
> > Thus, the 2002/udp traffic can be used by a remote
> > attacker as a
> > communications channel between infected systems to
> > coordinate attacks
> > on other sites.
> >
> > Identifying infected hosts
> >
> > Reports indicate that the Apache/mod_ssl worm's source
> > code is placed
> > in /tmp/.bugtraq.c on infected systems. It is
> > compiled with gcc,
> > resulting in the executable binary being stored at
> > /tmp/.bugtraq;
> > therefore, presence of any of the following files on
> > Linux systems
> > running Apache with OpenSSL is indicative of compromise.
> >
> > /tmp/.bugtraq.c
> > /tmp/.bugtraq
> >
> > The probing phase of the attack may show up in web server logs as:
> >
> > GET /mod_ssl:error:HTTP-request HTTP/1.0
> >
> > Note that the appearance of this entry in a web
> > server log is not
> > indicative of compromise, but is merely evidence of a
> > probe from an
> > infected system.
> >
> > Reports received by the CERT/CC indicate that Apache
> > systems may
> > subsequently log messages similar to the following:
> >
> > [error] SSL handshake failed: HTTP spoken on HTTPS
> > port; trying
> > to send HTML error page (OpenSSL library error follows)
> >
> > [error] OpenSSL: error:1407609C:SSL
> > routines:SSL23_GET_CLIENT_HELLO:http request
> > [Hint: speaking
> > HTTP to HTTPS port!?]
> >
> > Actual log entries may vary from system to system, but
> > will generally
> > include an "SSL handshake failed" followed by an
> > OpenSSL library
> > error.
> >
> > Hosts found to be listening for or transmitting data on
> > 2002/udp are
> > also indicative of compromise by the Apache/mod_ssl worm.
> >
> > Detecting Apache/mod_ssl worm activity on the network
> >
> > Infected systems are readily identifiable on a
> > network by the
> > following traffic characteristics:
> >
> > * Probing -- Scanning on 80/tcp
> >
> > * Propagation -- Connections to 443/tcp
> >
> > * DDoS -- Transmitting or receiving datagrams with
> > both source and
> > destination ports 2002/udp. This traffic is
> > used as a
> > communications channel between infected systems
> > to coordinate
> > attacks on other sites.
> >
> > Additionally, infected hosts that are actively
> > participating in DDoS
> > attacks against other systems may generate unusually
> > high volumes of
> > attack traffic using various protocols (e.g., TCP, UDP, ICMP)
> >
> > II. Impact
> >
> > Compromise by the Apache/mod_ssl worm indicates that a
> > remote attacker
> > can execute arbitrary code as the apache user on the
> > victim system. It
> > may be possible for an attacker to subsequently
> > leverage a local
> > privilege escalation exploit in order to gain root
> > access to the
> > victim system. Furthermore, the DDoS capabilities
> > included in the
> > Apache/mod_ssl worm allow victim systems to be used as
> > platforms to
> > attack other systems.
> >
> > III. Solution
> >
> > Apply a patch
> >
> > Administrators of all systems running OpenSSL are
> > encouraged to review
> > CA-2002-23 and VU#102795 for detailed vendor
> > recommendations regarding
> > patches.
> >
> > http://www.cert.org/advisories/CA-2002-23.html
> > http://www.kb.cert.org/vuls/id/102795
> >
> > Note that while the vulnerability exploited by the
> > Apache/mod_ssl worm
> > was fixed beginning with OpenSSL version 0.9.6e, as of
> > this writing
> > the latest version of OpenSSL is 0.9.6g. Administrators
> > may wish to
> > upgrade to that version instead.
> >
> > http://www.openssl.org/source/
> >
> > The following is reproduced in part from CA-2002-23
> >
> > Upgrade to version 0.9.6e of OpenSSL
> >
> > Upgrade to version 0.9.6e of OpenSSL to resolve
> > the issues
> > addressed in this advisory. As noted in the
> > OpenSSL advisory,
> > separate patches are available:
> >
> > Combined patches for OpenSSL 0.9.6d:
> > http://www.openssl.org/news/patch_20020730_0_9_6d.txt
> >
> > After either applying the patches above or upgrading
> > to 0.9.6e,
> > recompile all applications using OpenSSL to support
> > SSL or TLS
> > services, and restart said services or systems. This
> > will eliminate
> > all known vulnerable code.
> >
> > Sites running OpenSSL pre-release version 0.9.7-beta2
> > may wish to
> > upgrade to 0.9.7-beta3, which corrects these
> > vulnerabilities.
> > Separate patches are available as well:
> >
> > Combined patches for OpenSSL 0.9.7 beta 2:
> > http://www.openssl.org/news/patch_20020730_0_9_7.txt
> >
> > Disable SSLv2
> >
> > Disabling SSLv2 handshaking will prevent exploitation
> > of VU#102795.
> > CERT/CC recomends consulting the mod_ssl documentation
> > for a complete
> > description of the options but one method for disabling
> > SSLv2 is to
> > remove SSLv2 as a supported cipher in the SSLCipherSuite
> > directive in
> > the configuration file. For example:
> >
> > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+SSLv2
> >
> > which allows SSLv2 can be changed to
> >
> > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
> >
> > which will disable SSLv2. Note the changing of +SSLv2 to !SSLv2.
> >
> > However, systems may still be susceptible to the other
> > vulnerabilities
> > described in CA-2002-23.
> >
> > Recovering from a system compromise
> >
> > If you believe a system under your administrative
> > control has been
> > compromised, please follow the steps outlined in
> >
> > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
> >
> > Reporting
> >
> > The CERT/CC is interested in receiving reports of this
> > activity. If
> > machines under your administrative control are
> > compromised, please
> > send mail to cert at cert.org with the following text
> > included in the
> > subject line: "[CERT#23820]".
> > _________________________________________________________________
> >
> > Feedback can be directed to the author: Allen Householder
> >
> > ______________________________________________________________________
> >
> > This document is available from:
> > http://www.cert.org/advisories/CA-2002-27.html
> >
> > ______________________________________________________________________
> >
> > CERT/CC Contact Information
> >
> > Email: cert at cert.org
> > Phone: +1 412-268-7090 (24-hour hotline)
> > Fax: +1 412-268-6989
> > Postal address:
> > CERT Coordination Center
> > Software Engineering Institute
> > Carnegie Mellon University
> > Pittsburgh PA 15213-3890
> > U.S.A.
> >
> > CERT/CC personnel answer the hotline 08:00-17:00
> > EST(GMT-5) /
> > EDT(GMT-4) Monday through Friday; they are on call for
> > emergencies
> > during other hours, on U.S. holidays, and on weekends.
> >
> > Using encryption
> >
> > We strongly urge you to encrypt sensitive information
> > sent by email.
> > Our public PGP key is available from
> > http://www.cert.org/CERT_PGP.key
> >
> > If you prefer to use DES, please call the CERT
> > hotline for more
> > information.
> >
> > Getting security information
> >
> > CERT publications and other security information are
> > available from
> > our web site
> > http://www.cert.org/
> >
> > To subscribe to the CERT mailing list for advisories
> > and bulletins,
> > send email to majordomo at cert.org. Please include in the
> > body of your
> > message
> >
> > subscribe cert-advisory
> >
> > * "CERT" and "CERT Coordination Center" are registered
> > in the U.S.
> > Patent and Trademark Office.
> >
> > ______________________________________________________________________
> >
> > NO WARRANTY
> > Any material furnished by Carnegie Mellon University and
> > the Software
> > Engineering Institute is furnished on an "as is"
> > basis. Carnegie
> > Mellon University makes no warranties of any kind, either
> > expressed or
> > implied as to any matter including, but not limited to,
> > warranty of
> > fitness for a particular purpose or merchantability,
> > exclusivity or
> > results obtained from use of the material. Carnegie
> > Mellon University
> > does not make any warranty of any kind with respect to
> > freedom from
> > patent, trademark, or copyright infringement.
> > _________________________________________________________________
> >
> > Conditions for use, disclaimers, and sponsorship information
> >
> > Copyright 2002 Carnegie Mellon University.
> >
> > Revision History
> > September 14, 2002: Initial release
> >
> >
> >
> >
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.8
> >
> > iQCVAwUBPYODr6CVPMXQI2HJAQHhbgQAktzDUa8MYdBlGkimk9Qo5oVhnEAAUW1s
> > gkadeQIwNw+bXhu8bzcbx/5WLK2vS09ivFknNO3WYy2MIDFWTtoct4R3xX/PM5Ad
> > LB7HKSP6nukMJcTq6vnHTtOzaWQkLgbWgOPMpsPfxrjVG6lz4AnwyqkmmLOrl1NS
> > YMgTNn0niIk=
> > =SON1
> > -----END PGP SIGNATURE-----
> >
>
> ----
> Christine Metz
> Cyber Security - Bldg 515
> metz at bnl.gov
>
> _______________________________________________
> Web-admins-l mailing list
> Web-admins-l at lists.bnl.gov
> http://lists.bnl.gov/mailman/listinfo/web-admins-l
More information about the Computer-liaisons
mailing list