icelava
02-10-2002, 14:00
CNET Asia Security Techguide:
Slapper worm attacks SSL-enabled Apache servers
A common verbal battleground between the Microsoft and Linux camps is Web server security, specifically IIS vs. Apache. Nimda and Code Red widely exploited IIS, which made Microsoft look more closely at the dangers of application bundling.
Apache's security track record is considerably better than that of IIS. That's good because Apache is by far the most widely used Web server platform. (Netcraft says that about 63 percent of the Web servers it surveyed are running Apache.) Even though the core Apache server is very reliable and secure, that doesn't mean Apache's additional components are. Additionally, Apache has had its fair share of bug reports over the years.
Stock Apache is fairly bare bones, but it does a pretty good job of being an HTTP server. Since Apache is a modular Web server, modules can be added to Apache to allow it to perform authentication, server-side scripting, and the ability to use the SSL protocol for secure Web services. Most of these modules are also freely available.You use the modules you want, and disable or leave out the ones you don't.
A security flaw in a module or in a component used by a module can result in Apache being compromised. That's exactly what happened with the now-famous Slapper worm, which infects Apache systems using the mod_ssl module. The actual flaw being exploited is in OpenSSL, a freely available SSL implementation.
As in the case of the worms affecting Microsoft IIS, information about the problem and what to do to correct it was detailed long before the Slapper worm. To fix the problem, you basically upgrade to a newer version of OpenSSL and recompile mod_ssl. CERT released an advisory about this problem, which includes specific UNIX vendor information. Once again, poor system administration is why Slapper has spread to so many systems.
The Slapper worm is installed on systems when a response to a specific HTTP request is sent to an Apache system that is using mod_ssl. If a system is vulnerable, a copy of Slapper is installed and begins running. A running Slapper daemon will first notify the machine that infected it, which will add new machines to the infected hosts list. The newly infected machine then begins scanning for other potential victims, infects them, and records the IP address of the infected host. This builds a network of Slapper "drones" that can launch a distributed denial of service (DoS) attack, since Slapper can be controlled remotely. Some security sites have already been "slapped around," so to speak.
The scanning, infection, and reporting of newly infected machines communicate with UDP port 2002. Blocking this port on firewalls and Internet routers breaks the communication, but it won't stop Slapper from getting into a vulnerable system. Although it's possible to change the Apache server information Slapper looks for, the only decisive way to fix the problem is to upgrade to the latest version of OpenSSL, recompile Apache and/or the mod_ssl module, and fix the vulnerability.
Responding to security bulletins and fixing systems is basic system administration whether you're using Windows or Linux. Then again, no one's perfect. Slapper infected at least two systems where I work. The systems were quickly identified and fixed, and neither were production Web servers. However, I still feel the smack of Slapper across my face. Oh, and incidentally, Nimda was making its initial rounds about this time last year. Coincidence?
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.
Slapper worm attacks SSL-enabled Apache servers
A common verbal battleground between the Microsoft and Linux camps is Web server security, specifically IIS vs. Apache. Nimda and Code Red widely exploited IIS, which made Microsoft look more closely at the dangers of application bundling.
Apache's security track record is considerably better than that of IIS. That's good because Apache is by far the most widely used Web server platform. (Netcraft says that about 63 percent of the Web servers it surveyed are running Apache.) Even though the core Apache server is very reliable and secure, that doesn't mean Apache's additional components are. Additionally, Apache has had its fair share of bug reports over the years.
Stock Apache is fairly bare bones, but it does a pretty good job of being an HTTP server. Since Apache is a modular Web server, modules can be added to Apache to allow it to perform authentication, server-side scripting, and the ability to use the SSL protocol for secure Web services. Most of these modules are also freely available.You use the modules you want, and disable or leave out the ones you don't.
A security flaw in a module or in a component used by a module can result in Apache being compromised. That's exactly what happened with the now-famous Slapper worm, which infects Apache systems using the mod_ssl module. The actual flaw being exploited is in OpenSSL, a freely available SSL implementation.
As in the case of the worms affecting Microsoft IIS, information about the problem and what to do to correct it was detailed long before the Slapper worm. To fix the problem, you basically upgrade to a newer version of OpenSSL and recompile mod_ssl. CERT released an advisory about this problem, which includes specific UNIX vendor information. Once again, poor system administration is why Slapper has spread to so many systems.
The Slapper worm is installed on systems when a response to a specific HTTP request is sent to an Apache system that is using mod_ssl. If a system is vulnerable, a copy of Slapper is installed and begins running. A running Slapper daemon will first notify the machine that infected it, which will add new machines to the infected hosts list. The newly infected machine then begins scanning for other potential victims, infects them, and records the IP address of the infected host. This builds a network of Slapper "drones" that can launch a distributed denial of service (DoS) attack, since Slapper can be controlled remotely. Some security sites have already been "slapped around," so to speak.
The scanning, infection, and reporting of newly infected machines communicate with UDP port 2002. Blocking this port on firewalls and Internet routers breaks the communication, but it won't stop Slapper from getting into a vulnerable system. Although it's possible to change the Apache server information Slapper looks for, the only decisive way to fix the problem is to upgrade to the latest version of OpenSSL, recompile Apache and/or the mod_ssl module, and fix the vulnerability.
Responding to security bulletins and fixing systems is basic system administration whether you're using Windows or Linux. Then again, no one's perfect. Slapper infected at least two systems where I work. The systems were quickly identified and fixed, and neither were production Web servers. However, I still feel the smack of Slapper across my face. Oh, and incidentally, Nimda was making its initial rounds about this time last year. Coincidence?
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.