Loading ...
Sorry, an error occurred while loading the content.

FW: CERT Advisory CA-2002-27 Apache/mod_ssl Worm

Expand Messages
  • Ansar Mohammed
    ... SSLv2-enabled ... code ... malicious ... linux.slapper.worm ... that ... on ... to ... malicious ... attacking ... server ... worm s ... platform ... sites
    Message 1 of 2 , Sep 16, 2002
    • 0 Attachment
      > -----Original Message-----
      > From: CERT Advisory [mailto:cert-advisory@...]
      > Sent: Saturday, September 14, 2002 3:25 PM
      > To: cert-advisory@...
      > Subject: CERT Advisory CA-2002-27 Apache/mod_ssl Worm
      >
      >
      >
      > -----BEGIN PGP SIGNED MESSAGE-----
      >
      > CERT Advisory CA-2002-27 Apache/mod_ssl Worm
      >
      > Original release date: September 14, 2002
      > Last revised: --
      > Source: CERT/CC
      >
      > A complete revision history can be found at the end of this file.
      >
      > Systems Affected
      >
      > * Linux systems running Apache with mod_ssl accessing
      SSLv2-enabled
      > OpenSSL 0.9.6d or earlier on Intel x86 architectures
      >
      > Overview
      >
      > The CERT/CC has received reports of self-propagating malicious
      code
      > which exploits a vulnerability (VU#102795) in OpenSSL. This
      malicious
      > code has been referred to as Apache/mod_ssl worm,
      linux.slapper.worm
      > and bugtraq.c worm.
      >
      > I. Description
      >
      > The Apache/mod_ssl worm is self-propagating malicious code
      that
      > exploits the OpenSSL vulnerability described in VU#102795.
      >
      > http://www.kb.cert.org/vuls/id/102795
      >
      > This vulnerability was the among the topics discussed in CA-2002-23
      > "Multiple Vulnerabilities In OpenSSL".
      >
      > http://www.cert.org/advisories/CA-2002-23.html
      >
      > While this OpenSSL server vulnerability exists on a wide variety of
      > platforms, the Apache/mod_ssl worm appears to work only on Linux
      > systems running Apache with the OpenSSL module (mod_ssl) on Intel
      > architectures.
      >
      > The Apache/mod_ssl worm scans for potentially vulnerable systems
      on
      > 80/tcp using an invalid HTTP GET request.
      >
      > GET /mod_ssl:error:HTTP-request HTTP/1.0
      >
      > When an Apache system is detected, it attempts to send exploit code
      to
      > the SSL service via 443/tcp. If successful, a copy of the
      malicious
      > source code is then placed on the victim server, where the
      attacking
      > system tries to compile and run it. Once infected, the victim
      server
      > begins scanning for additional hosts to continue the
      worm's
      > propagation.
      >
      > Additionally, the Apache/mod_ssl worm can act as an attack
      platform
      > for distributed denial-of-service (DDoS) attacks against other
      sites
      > by building a network of infected hosts. During the infection
      process,
      > the attacking host instructs the newly-infected victim to
      initiate
      > traffic on 2002/udp back to the attacker. Once this
      communications
      > channel has been established, the infected system becomes part of
      the
      > Apache/mod_ssl worm's DDoS network. Infected hosts can then
      share
      > information on other infected systems as well as attack
      instructions.
      > Thus, the 2002/udp traffic can be used by a remote attacker
      as a
      > communications channel between infected systems to coordinate
      attacks
      > on other sites.
      >
      > Identifying infected hosts
      >
      > Reports indicate that the Apache/mod_ssl worm's source code is
      placed
      > in /tmp/.bugtraq.c on infected systems. It is compiled with
      gcc,
      > resulting in the executable binary being stored at
      /tmp/.bugtraq;
      > therefore, presence of any of the following files on Linux
      systems
      > running Apache with OpenSSL is indicative of compromise.
      >
      > /tmp/.bugtraq.c
      > /tmp/.bugtraq
      >
      > The probing phase of the attack may show up in web server logs as:
      >
      > GET /mod_ssl:error:HTTP-request HTTP/1.0
      >
      > Note that the appearance of this entry in a web server log is
      not
      > indicative of compromise, but is merely evidence of a probe from
      an
      > infected system.
      >
      > Reports received by the CERT/CC indicate that Apache systems
      may
      > subsequently log messages similar to the following:
      >
      > [error] SSL handshake failed: HTTP spoken on HTTPS port;
      trying
      > to send HTML error page (OpenSSL library error follows)
      >
      > [error] OpenSSL: error:1407609C:SSL
      > routines:SSL23_GET_CLIENT_HELLO:http request [Hint:
      speaking
      > HTTP to HTTPS port!?]
      >
      > Actual log entries may vary from system to system, but will
      generally
      > include an "SSL handshake failed" followed by an OpenSSL
      library
      > error.
      >
      > Hosts found to be listening for or transmitting data on 2002/udp
      are
      > also indicative of compromise by the Apache/mod_ssl worm.
      >
      > Detecting Apache/mod_ssl worm activity on the network
      >
      > Infected systems are readily identifiable on a network by
      the
      > following traffic characteristics:
      >
      > * Probing -- Scanning on 80/tcp
      >
      > * Propagation -- Connections to 443/tcp
      >
      > * DDoS -- Transmitting or receiving datagrams with both source
      and
      > destination ports 2002/udp. This traffic is used as
      a
      > communications channel between infected systems to
      coordinate
      > attacks on other sites.
      >
      > Additionally, infected hosts that are actively participating in
      DDoS
      > attacks against other systems may generate unusually high volumes
      of
      > attack traffic using various protocols (e.g., TCP, UDP, ICMP)
      >
      > II. Impact
      >
      > Compromise by the Apache/mod_ssl worm indicates that a remote
      attacker
      > can execute arbitrary code as the apache user on the victim system.
      It
      > may be possible for an attacker to subsequently leverage a
      local
      > privilege escalation exploit in order to gain root access to
      the
      > victim system. Furthermore, the DDoS capabilities included in
      the
      > Apache/mod_ssl worm allow victim systems to be used as platforms
      to
      > attack other systems.
      >
      > III. Solution
      >
      > Apply a patch
      >
      > Administrators of all systems running OpenSSL are encouraged to
      review
      > CA-2002-23 and VU#102795 for detailed vendor recommendations
      regarding
      > patches.
      >
      > http://www.cert.org/advisories/CA-2002-23.html
      > http://www.kb.cert.org/vuls/id/102795
      >
      > Note that while the vulnerability exploited by the Apache/mod_ssl
      worm
      > was fixed beginning with OpenSSL version 0.9.6e, as of this
      writing
      > the latest version of OpenSSL is 0.9.6g. Administrators may wish
      to
      > upgrade to that version instead.
      >
      > http://www.openssl.org/source/
      >
      > The following is reproduced in part from CA-2002-23
      >
      > Upgrade to version 0.9.6e of OpenSSL
      >
      > Upgrade to version 0.9.6e of OpenSSL to resolve the
      issues
      > addressed in this advisory. As noted in the OpenSSL
      advisory,
      > separate patches are available:
      >
      > Combined patches for OpenSSL 0.9.6d:
      > http://www.openssl.org/news/patch_20020730_0_9_6d.txt
      >
      > After either applying the patches above or upgrading to
      0.9.6e,
      > recompile all applications using OpenSSL to support SSL or
      TLS
      > services, and restart said services or systems. This will
      eliminate
      > all known vulnerable code.
      >
      > Sites running OpenSSL pre-release version 0.9.7-beta2 may wish
      to
      > upgrade to 0.9.7-beta3, which corrects these
      vulnerabilities.
      > Separate patches are available as well:
      >
      > Combined patches for OpenSSL 0.9.7 beta 2:
      > http://www.openssl.org/news/patch_20020730_0_9_7.txt
      >
      > Disable SSLv2
      >
      > Disabling SSLv2 handshaking will prevent exploitation of
      VU#102795.
      > CERT/CC recomends consulting the mod_ssl documentation for a
      complete
      > description of the options but one method for disabling SSLv2 is
      to
      > remove SSLv2 as a supported cipher in the SSLCipherSuite directive
      in
      > the configuration file. For example:
      >
      > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+SSLv2
      >
      > which allows SSLv2 can be changed to
      >
      > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
      >
      > which will disable SSLv2. Note the changing of +SSLv2 to !SSLv2.
      >
      > However, systems may still be susceptible to the other
      vulnerabilities
      > described in CA-2002-23.
      >
      > Recovering from a system compromise
      >
      > If you believe a system under your administrative control has
      been
      > compromised, please follow the steps outlined in
      >
      > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
      >
      > Reporting
      >
      > The CERT/CC is interested in receiving reports of this activity.
      If
      > machines under your administrative control are compromised,
      please
      > send mail to cert@... with the following text included in
      the
      > subject line: "[CERT#23820]".
      > _________________________________________________________________
      >
      > Feedback can be directed to the author: Allen Householder
      >
      ______________________________________________________________________
      >
      > This document is available from:
      > http://www.cert.org/advisories/CA-2002-27.html
      >
      ______________________________________________________________________
      >
      > CERT/CC Contact Information
      >
      > Email: cert@...
      > Phone: +1 412-268-7090 (24-hour hotline)
      > Fax: +1 412-268-6989
      > Postal address:
      > CERT Coordination Center
      > Software Engineering Institute
      > Carnegie Mellon University
      > Pittsburgh PA 15213-3890
      > U.S.A.
      >
      > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
      /
      > EDT(GMT-4) Monday through Friday; they are on call for
      emergencies
      > during other hours, on U.S. holidays, and on weekends.
      >
      > Using encryption
      >
      > We strongly urge you to encrypt sensitive information sent by
      email.
      > Our public PGP key is available from
      > http://www.cert.org/CERT_PGP.key
      >
      > If you prefer to use DES, please call the CERT hotline for
      more
      > information.
      >
      > Getting security information
      >
      > CERT publications and other security information are available
      from
      > our web site
      > http://www.cert.org/
      >
      > To subscribe to the CERT mailing list for advisories and
      bulletins,
      > send email to majordomo@.... Please include in the body of
      your
      > message
      >
      > subscribe cert-advisory
      >
      > * "CERT" and "CERT Coordination Center" are registered in the
      U.S.
      > Patent and Trademark Office.
      >
      ______________________________________________________________________
      >
      > NO WARRANTY
      > Any material furnished by Carnegie Mellon University and the
      Software
      > Engineering Institute is furnished on an "as is" basis.
      Carnegie
      > Mellon University makes no warranties of any kind, either expressed
      or
      > implied as to any matter including, but not limited to, warranty
      of
      > fitness for a particular purpose or merchantability, exclusivity
      or
      > results obtained from use of the material. Carnegie Mellon
      University
      > does not make any warranty of any kind with respect to freedom
      from
      > patent, trademark, or copyright infringement.
      > _________________________________________________________________
      >
      > Conditions for use, disclaimers, and sponsorship information
      >
      > Copyright 2002 Carnegie Mellon University.
      >
      > Revision History
      > September 14, 2002: Initial release
      >
      >
      >
      >
      >
      >
      > -----BEGIN PGP SIGNATURE-----
      > Version: PGP 6.5.8
      >
      > iQCVAwUBPYODr6CVPMXQI2HJAQHhbgQAktzDUa8MYdBlGkimk9Qo5oVhnEAAUW1s
      > gkadeQIwNw+bXhu8bzcbx/5WLK2vS09ivFknNO3WYy2MIDFWTtoct4R3xX/PM5Ad
      > LB7HKSP6nukMJcTq6vnHTtOzaWQkLgbWgOPMpsPfxrjVG6lz4AnwyqkmmLOrl1NS
      > YMgTNn0niIk=
      > =SON1
      > -----END PGP SIGNATURE-----
    • Richard Jobity
      Done and discussed. Thanks for the heads-up, though. ... From: Ansar Mohammed [mailto:amohammed@carib-link.net] Sent: Monday, September 16, 2002 2:37 PM To:
      Message 2 of 2 , Sep 16, 2002
      • 0 Attachment
        Done and discussed. Thanks for the heads-up, though.



        -----Original Message-----
        From: Ansar Mohammed [mailto:amohammed@...]
        Sent: Monday, September 16, 2002 2:37 PM
        To: thetechies@yahoogroups.com; ttcs@yahoogroups.com;
        TTLUG@yahoogroups.com
        Subject: [TTLUG] FW: CERT Advisory CA-2002-27 Apache/mod_ssl Worm




        > -----Original Message-----
        > From: CERT Advisory [mailto:cert-advisory@...]
        > Sent: Saturday, September 14, 2002 3:25 PM
        > To: cert-advisory@...
        > Subject: CERT Advisory CA-2002-27 Apache/mod_ssl Worm
        >
        >
        >
        > -----BEGIN PGP SIGNED MESSAGE-----
        >
        > CERT Advisory CA-2002-27 Apache/mod_ssl Worm
        >
        > Original release date: September 14, 2002
        > Last revised: --
        > Source: CERT/CC
        >
        > A complete revision history can be found at the end of this file.
        >
        > Systems Affected
        >
        > * Linux systems running Apache with mod_ssl accessing
        SSLv2-enabled
        > OpenSSL 0.9.6d or earlier on Intel x86 architectures
        >
        > Overview
        >
        > The CERT/CC has received reports of self-propagating malicious
        code
        > which exploits a vulnerability (VU#102795) in OpenSSL. This
        malicious
        > code has been referred to as Apache/mod_ssl worm,
        linux.slapper.worm
        > and bugtraq.c worm.
        >
        > I. Description
        >
        > The Apache/mod_ssl worm is self-propagating malicious code
        that
        > exploits the OpenSSL vulnerability described in VU#102795.
        >
        > http://www.kb.cert.org/vuls/id/102795
        >
        > This vulnerability was the among the topics discussed in CA-2002-23
        > "Multiple Vulnerabilities In OpenSSL".
        >
        > http://www.cert.org/advisories/CA-2002-23.html
        >
        > While this OpenSSL server vulnerability exists on a wide variety of
        > platforms, the Apache/mod_ssl worm appears to work only on Linux
        > systems running Apache with the OpenSSL module (mod_ssl) on Intel
        > architectures.
        >
        > The Apache/mod_ssl worm scans for potentially vulnerable systems
        on
        > 80/tcp using an invalid HTTP GET request.
        >
        > GET /mod_ssl:error:HTTP-request HTTP/1.0
        >
        > When an Apache system is detected, it attempts to send exploit code
        to
        > the SSL service via 443/tcp. If successful, a copy of the
        malicious
        > source code is then placed on the victim server, where the
        attacking
        > system tries to compile and run it. Once infected, the victim
        server
        > begins scanning for additional hosts to continue the
        worm's
        > propagation.
        >
        > Additionally, the Apache/mod_ssl worm can act as an attack
        platform
        > for distributed denial-of-service (DDoS) attacks against other
        sites
        > by building a network of infected hosts. During the infection
        process,
        > the attacking host instructs the newly-infected victim to
        initiate
        > traffic on 2002/udp back to the attacker. Once this
        communications
        > channel has been established, the infected system becomes part of
        the
        > Apache/mod_ssl worm's DDoS network. Infected hosts can then
        share
        > information on other infected systems as well as attack
        instructions.
        > Thus, the 2002/udp traffic can be used by a remote attacker
        as a
        > communications channel between infected systems to coordinate
        attacks
        > on other sites.
        >
        > Identifying infected hosts
        >
        > Reports indicate that the Apache/mod_ssl worm's source code is
        placed
        > in /tmp/.bugtraq.c on infected systems. It is compiled with
        gcc,
        > resulting in the executable binary being stored at
        /tmp/.bugtraq;
        > therefore, presence of any of the following files on Linux
        systems
        > running Apache with OpenSSL is indicative of compromise.
        >
        > /tmp/.bugtraq.c
        > /tmp/.bugtraq
        >
        > The probing phase of the attack may show up in web server logs as:
        >
        > GET /mod_ssl:error:HTTP-request HTTP/1.0
        >
        > Note that the appearance of this entry in a web server log is
        not
        > indicative of compromise, but is merely evidence of a probe from
        an
        > infected system.
        >
        > Reports received by the CERT/CC indicate that Apache systems
        may
        > subsequently log messages similar to the following:
        >
        > [error] SSL handshake failed: HTTP spoken on HTTPS port;
        trying
        > to send HTML error page (OpenSSL library error follows)
        >
        > [error] OpenSSL: error:1407609C:SSL
        > routines:SSL23_GET_CLIENT_HELLO:http request [Hint:
        speaking
        > HTTP to HTTPS port!?]
        >
        > Actual log entries may vary from system to system, but will
        generally
        > include an "SSL handshake failed" followed by an OpenSSL
        library
        > error.
        >
        > Hosts found to be listening for or transmitting data on 2002/udp
        are
        > also indicative of compromise by the Apache/mod_ssl worm.
        >
        > Detecting Apache/mod_ssl worm activity on the network
        >
        > Infected systems are readily identifiable on a network by
        the
        > following traffic characteristics:
        >
        > * Probing -- Scanning on 80/tcp
        >
        > * Propagation -- Connections to 443/tcp
        >
        > * DDoS -- Transmitting or receiving datagrams with both source
        and
        > destination ports 2002/udp. This traffic is used as
        a
        > communications channel between infected systems to
        coordinate
        > attacks on other sites.
        >
        > Additionally, infected hosts that are actively participating in
        DDoS
        > attacks against other systems may generate unusually high volumes
        of
        > attack traffic using various protocols (e.g., TCP, UDP, ICMP)
        >
        > II. Impact
        >
        > Compromise by the Apache/mod_ssl worm indicates that a remote
        attacker
        > can execute arbitrary code as the apache user on the victim system.
        It
        > may be possible for an attacker to subsequently leverage a
        local
        > privilege escalation exploit in order to gain root access to
        the
        > victim system. Furthermore, the DDoS capabilities included in
        the
        > Apache/mod_ssl worm allow victim systems to be used as platforms
        to
        > attack other systems.
        >
        > III. Solution
        >
        > Apply a patch
        >
        > Administrators of all systems running OpenSSL are encouraged to
        review
        > CA-2002-23 and VU#102795 for detailed vendor recommendations
        regarding
        > patches.
        >
        > http://www.cert.org/advisories/CA-2002-23.html
        > http://www.kb.cert.org/vuls/id/102795
        >
        > Note that while the vulnerability exploited by the Apache/mod_ssl
        worm
        > was fixed beginning with OpenSSL version 0.9.6e, as of this
        writing
        > the latest version of OpenSSL is 0.9.6g. Administrators may wish
        to
        > upgrade to that version instead.
        >
        > http://www.openssl.org/source/
        >
        > The following is reproduced in part from CA-2002-23
        >
        > Upgrade to version 0.9.6e of OpenSSL
        >
        > Upgrade to version 0.9.6e of OpenSSL to resolve the
        issues
        > addressed in this advisory. As noted in the OpenSSL
        advisory,
        > separate patches are available:
        >
        > Combined patches for OpenSSL 0.9.6d:
        > http://www.openssl.org/news/patch_20020730_0_9_6d.txt
        >
        > After either applying the patches above or upgrading to
        0.9.6e,
        > recompile all applications using OpenSSL to support SSL or
        TLS
        > services, and restart said services or systems. This will
        eliminate
        > all known vulnerable code.
        >
        > Sites running OpenSSL pre-release version 0.9.7-beta2 may wish
        to
        > upgrade to 0.9.7-beta3, which corrects these
        vulnerabilities.
        > Separate patches are available as well:
        >
        > Combined patches for OpenSSL 0.9.7 beta 2:
        > http://www.openssl.org/news/patch_20020730_0_9_7.txt
        >
        > Disable SSLv2
        >
        > Disabling SSLv2 handshaking will prevent exploitation of
        VU#102795.
        > CERT/CC recomends consulting the mod_ssl documentation for a
        complete
        > description of the options but one method for disabling SSLv2 is
        to
        > remove SSLv2 as a supported cipher in the SSLCipherSuite directive
        in
        > the configuration file. For example:
        >
        > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+SSLv2
        >
        > which allows SSLv2 can be changed to
        >
        > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!SSLv2
        >
        > which will disable SSLv2. Note the changing of +SSLv2 to !SSLv2.
        >
        > However, systems may still be susceptible to the other
        vulnerabilities
        > described in CA-2002-23.
        >
        > Recovering from a system compromise
        >
        > If you believe a system under your administrative control has
        been
        > compromised, please follow the steps outlined in
        >
        > http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
        >
        > Reporting
        >
        > The CERT/CC is interested in receiving reports of this activity.
        If
        > machines under your administrative control are compromised,
        please
        > send mail to cert@... with the following text included in
        the
        > subject line: "[CERT#23820]".
        > _________________________________________________________________
        >
        > Feedback can be directed to the author: Allen Householder
        >
        ______________________________________________________________________
        >
        > This document is available from:
        > http://www.cert.org/advisories/CA-2002-27.html
        >
        ______________________________________________________________________
        >
        > CERT/CC Contact Information
        >
        > Email: cert@...
        > Phone: +1 412-268-7090 (24-hour hotline)
        > Fax: +1 412-268-6989
        > Postal address:
        > CERT Coordination Center
        > Software Engineering Institute
        > Carnegie Mellon University
        > Pittsburgh PA 15213-3890
        > U.S.A.
        >
        > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5)
        /
        > EDT(GMT-4) Monday through Friday; they are on call for
        emergencies
        > during other hours, on U.S. holidays, and on weekends.
        >
        > Using encryption
        >
        > We strongly urge you to encrypt sensitive information sent by
        email.
        > Our public PGP key is available from
        > http://www.cert.org/CERT_PGP.key
        >
        > If you prefer to use DES, please call the CERT hotline for
        more
        > information.
        >
        > Getting security information
        >
        > CERT publications and other security information are available
        from
        > our web site
        > http://www.cert.org/
        >
        > To subscribe to the CERT mailing list for advisories and
        bulletins,
        > send email to majordomo@.... Please include in the body of
        your
        > message
        >
        > subscribe cert-advisory
        >
        > * "CERT" and "CERT Coordination Center" are registered in the
        U.S.
        > Patent and Trademark Office.
        >
        ______________________________________________________________________
        >
        > NO WARRANTY
        > Any material furnished by Carnegie Mellon University and the
        Software
        > Engineering Institute is furnished on an "as is" basis.
        Carnegie
        > Mellon University makes no warranties of any kind, either expressed
        or
        > implied as to any matter including, but not limited to, warranty
        of
        > fitness for a particular purpose or merchantability, exclusivity
        or
        > results obtained from use of the material. Carnegie Mellon
        University
        > does not make any warranty of any kind with respect to freedom
        from
        > patent, trademark, or copyright infringement.
        > _________________________________________________________________
        >
        > Conditions for use, disclaimers, and sponsorship information
        >
        > Copyright 2002 Carnegie Mellon University.
        >
        > Revision History
        > September 14, 2002: Initial release
        >
        >
        >
        >
        >
        >
        > -----BEGIN PGP SIGNATURE-----
        > Version: PGP 6.5.8
        >
        > iQCVAwUBPYODr6CVPMXQI2HJAQHhbgQAktzDUa8MYdBlGkimk9Qo5oVhnEAAUW1s
        > gkadeQIwNw+bXhu8bzcbx/5WLK2vS09ivFknNO3WYy2MIDFWTtoct4R3xX/PM5Ad
        > LB7HKSP6nukMJcTq6vnHTtOzaWQkLgbWgOPMpsPfxrjVG6lz4AnwyqkmmLOrl1NS
        > YMgTNn0niIk=
        > =SON1
        > -----END PGP SIGNATURE-----



        To unsubscribe from this group, send an email to:
        TTLUG-unsubscribe@egroups.com



        Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
      Your message has been successfully submitted and would be delivered to recipients shortly.