SuSE Security Announcement: Slapper worm (SuSE-SA:2002:033)From: Olaf Kirch (firstname.lastname@example.org)
- Previous message: Peter Peters: "Re: The Trivial Cisco IP Phones Compromise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 20 Sep 2002 09:45:51 +0200 From: Olaf Kirch <email@example.com> To: firstname.lastname@example.org
In a typical case of Heisenmurphy, the PGP signature of the previous
message got garbled, and I can't figure out why. Here's a re-send of
the message, re-signed.
I apologize for any confusion this may have caused.
-----BEGIN PGP SIGNED MESSAGE-----
SuSE Security Announcement
Package: openssl/Slapper worm
Date: Thu Sep 19 2002
Affected products: 7.0, 7.1, 7.2, 7.3, 8.0
SuSE Linux Database Server,
SuSE eMail Server III,
SuSE eMail Server 3.1,
SuSE Linux Enterprise Server,
SuSE Linux Firewall on CD,
SuSE Linux Enterprise Server 7
SuSE Linux Office Server
Vulnerability Type: buffer overflow
Severity (1-10): 9
SuSE default package: yes
Cross References: CVE CAN-2002-0655, CAN-2002-0656,
Content of this advisory:
1) vulnerabilities in openssl libraries; Slapper worm
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
1) problem description, brief discussion, solution, upgrade information
This advisory is issued in an attempt to clarify any issues
surrounding the recently discovered Apache/mod_ssl worm.
On July 30, we released a security advisory concerning vulnerabilities
in OpenSSL, including a buffer overflow in the SSL code. This
vulnerability (CVE CAN-2002-0656, also discussed in CERT Advisory
http://www.cert.org/advisories/CA-2002-23.html) is currently being
exploited by a worm called Slapper, propagating through Apache's
It is worth noting that even though the worm infects Apache through
mod_ssl, this is not a vulnerability in mod_ssl or Apache, but in
the OpenSSL library used by mod_ssl.
This also means that Apache may not be the only service vulnerable
to an attack via the SSL bug. Similar exploits may be possible
against cyrus-imapd, sendmail with TLS support, or sslwrap-enabled
As a workaround, it is also possible to disable SSLv2 in mod_ssl
(as described in our previous advisory SuSE-SA:2002:027;
http://www.suse.com/de/security/2002_027_openssl.html), but you
should be aware that this does not protect other SSL based servers
that may be running on your machine.
We have received numerous inquiries from SuSE users on whether the
update packages provided by SuSE as part of SA:2002:027 fix this bug
even though they do not contain the latest OpenSSL version recommended
in various advisories.
To clarify this, we would like to state that these packages DO FIX
the bug exploited by the Slapper worm. Following established policy,
we did this by applying a source code patch instead of upgrading to
a newer version, because the latter usually causes serious problems
for many users (in particular, different versions of OpenSSL libraries
are not always API compatible).
However, it turns out that a number of packages were statically
linked against OpenSSL libraries:
mod_ssl (SuSE Linux 7.0):
We have released rebuilt mod_ssl packages linked against the
most recent OpenSSL libraries.
If you run mod_ssl on SuSE Linux 7.0, you must upgrade mod_ssl,
sendmail-tls (SuSE Linux 7.1, 7.2, 7.3):
Sendmail-tls, the SSL enabled version of sendmail, was linked
statically against OpenSSL on SuSE 7.1, 7.2 and 7.3. The security
impact of this problem is probably the same as with Apache and
We are releasing rebuilt packages linked against the most
Sendmail-tls is not part of the default installation profile.
If you are using sendmail-tls, we strongly recommend you upgrade
to the latest packages provided on our FTP servers.
openssh (SuSE Linux 7.1, 7.2 and 7.3):
Ssh and sshd do not use any SSL functionality, and thus are not
susceptible to the type of attack carried out by the Slapper worm.
To date, we are not aware of any way to exploit them. We nevertheless
recommend to upgrade to the latest versions provided on our FTP site.
freeswan (SuSE Linux 7.1, 7.2):
FreeSWAN includes a utility named fswcert for creating and
manipulating X.509 certificates, which is also linked statically
To date, we are not aware of any way to exploit them. We
nevertheless recommend to upgrade to the latest versions provided
on our FTP site as soon as they become available (2002 Sep 20).
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
we are preparing an update of mod_php4 addressing various
vulnerabilities that have been published recently.
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
after you downloaded the file from a SuSE ftp server or its mirrors.
Then, compare the resulting md5sum with the one that is listed in the
announcement. Since the announcement containing the checksums is
cryptographically signed (usually using the key email@example.com),
the checksums show proof of the authenticity of the package.
We disrecommend to subscribe to security lists which cause the
email message containing the announcement to be modified so that
the signature does not match after transport through the mailing
Downsides: You must be able to verify the authenticity of the
announcement in the first place. If RPM packages are being rebuilt
and a new version of a package is published on the ftp server, all
md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity
of an rpm package. Use the command
rpm -v --checksig <file.rpm>
to verify the signature of the package, where <file.rpm> is the
filename of the rpm package that you have downloaded. Of course,
package authenticity verification can only target an uninstalled rpm
a) gpg is installed
b) The package is signed using a certain key. The public part of this
key must be installed by the gpg program in the directory
~/.gnupg/ under the user's home directory who performs the
signature verification (usually root). You can import the key
that is used by SuSE in rpm packages for SuSE Linux by saving
this announcement to a file ("announcement.txt") and
running the command (do "su -" to be root):
gpg --batch; gpg < announcement.txt | gpg --import
SuSE Linux distributions version 7.1 and thereafter install the
key "firstname.lastname@example.org" upon installation or upgrade, provided that
the package gpg is installed. The file containing the public key
is placed at the toplevel directory of the first CD (pubring.gpg)
and at ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
- SuSE runs two security mailing lists to which any interested party may
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
SuSE's security contact is <email@example.com> or <firstname.lastname@example.org>.
The <email@example.com> public key is listed below.
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way. In particular,
it is desired that the cleartext signature shows proof of the
authenticity of the text.
SuSE Linux AG makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----