[Full-Disclosure] The last word on the Linux Slapper worm

From: Schmehl, Paul L (pauls@utdallas.edu)
Date: 09/26/02

From: pauls@utdallas.edu (Schmehl, Paul L)
Date: Wed, 25 Sep 2002 17:10:29 -0500

Interesting. I patched openssl the day the patch was announced (using
up2date.) When the Slapper worm came out, I knew my system wasn't
vulnerable, because I had already applied the patch on June 29th when it
was released. I'm not sure why there would have been confusion about
whether or not your system might be vulnerable, since both the the
vulnerability and the patch were publicly announced, but I suspect it
had to do with the fact that (at least in the case of Red Hat) the
*version* of openssl you're running is patched rather than updating to
the latest version.

On RH 7.2 (my system), for example, openssl is version 0.9.6b, but it's
patched against this vulnerability. All the advisories suggest updating
to at least version 0.9.6e if not g, but they do not address the fact
that your vendor may have patched previous versions. I sent a post to
bugtraq pointing that out, but it was never published. Guess I'll just
use this list from now on.

Paul Schmehl (pauls@utdallas.edu)
Department Coordinator
The University of Texas at Dallas
AVIEN Founding Member

> -----Original Message-----
> From: John.Airey@rnib.org.uk [mailto:John.Airey@rnib.org.uk]
> Sent: Monday, September 23, 2002 9:48 AM
> To: full-disclosure@lists.netsys.com
> Subject: [Full-Disclosure] The last word on the Linux Slapper worm
> Importance: High
> There has been a lack of information about the potential for
> damage around the Linux Slapper worm, and posts to the
> bugtraq list ranging from the sublime to the ridiculous. I am
> hoping that this post will clear up any doubts people may
> have about the vulnerabilities of their systems. It appears
> that the Linux vendors and openssl had been working together
> to produce an update to the vulnerability that was exploited
> by this worm. However, none of the openssl maintainers other
> than Mark Cox of Red Hat knows anything about this from what
> I can gather.

Relevant Pages

  • Risks Digest 27.83
    ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS ... OpenSSL Heartbleed vulnerability ... Experts Find a Door Ajar in an Internet Security Method ...
  • CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL
    ... There are four remotely exploitable buffer overflows in OpenSSL. ... Several of these vulnerabilities could be used by a remote attacker to ... This vulnerability can be exploited by a client ... Exploitation of this vulnerability can lead to remote ...
  • Re: freebsd-security Digest, Vol 482, Issue 1
    ... http://heartbleed.com/ describes an openssl vulnerability published ... FreeBSD 10 and we are also going to need an updated port. ... The implications of this vulnerability are pretty massive, ... unsigned int payload; ...
  • [CLA-2004:834] Conectiva Security Announcement - openssl
    ... OpenSSL versions distributed with Conectiva Linux: ... vulnerability was discovered by the OpenSSL team using the ... after the new packages are installed. ...
  • MDKSA-2002:046 - openssl update
    ... OpenSSL code that are all potentially remotely exploitable. ... a vulnerability was found by Adi Stav and James Yonan ... upgrade to these OpenSSL packages. ... Mandrake Linux 8.0/ppc: ...