Topic: OpenSSL Worm Vulnerability?

[Andy]

Can someone confirm that with the latest updates installed, 5.1.2 and 5.5 aren't vulnerable to the latest "Linux Slapper" worm?
http://securityresponse.symantec.com/avcenter/venc/data/linux.slapper.worm.html

I don't expect I have anything to worry about. Rich and the Boyz seem to be pretty much on top of things.

[Rich Lafferty]

[As on top of things as we might be, we're always even more on top of
security@e-smith.com -- *please* send notice of potential vulnerabilities
there instead of to the boards! We won't prevent you from posting our
replies, but we *would* like to ensure we see your report in a timely
manner and have an opportunity to investigate if necessary.]

Short answer: With the latest updates installed, 5.1.2 and 5.5 aren't vulnerable.

Longer answer: There were four vulnerabilities disclosed in OpenSSL a few
weeks ago. One only affects 64-bit systems (CAN-2002-0657), and one only
affects versions above 0.9.7 (CAN-2002-0655), so that leaves two for us
(the ssl2 key buffer overflow, CAN-2002-0656; and the ASN parser
confusion, CAN-2002-0659).

While OpenSSL.org recommends upgrading to OpenSSL 0.9.6g, Red Hat
has ported fixes for CAN-2002-0656 and CAN-2002-0659 into
openssl-0.9.6b; those are identified in the changelog as "Ben Laurie's
patches" and "ASN.1", respectively. Those updates were included in
the most recent SME Server update.

(Notes: The worm exploits CAN-2002-0656, the CAN- identifiers are
from the CVE database at http://cve.mitre.org/, and there are "girlz"
around here too, y'know.

Cheers,
--Rich

[Andy MacDonald]

Hi Rich,
You've got girlz there too?
Thanks for your reply. I was pretty confident of this worm being based on the SSL exploit, with it appearing long after the vulnerability was announced, and e-smith patches.
Had I thought that I'd been hacked or found a hole, I'd be posting to security@e-smith, but then I'd be asking for trouble as my box has lots of non standard tweaks installed.

[Drew]

Is there a way to check @ the SME console if the latest patches have been applied to SME v 5.0 - i.e. by doing a 'rpm -q' command?

[Dan]

"rpm -qa | grep openssl"
"rpm -qa | grep apache"
"rpm -qa | grep mod_ssl"

And look at the versions.

[Stephen Sloan]

I have downloaded and applied the security updates as outlined below:

"Scope
Updates have been released for the following versions of the SMEServer

SMEServer version 5.5
SMEServer version 5.1.2
SMEServer version 5.1.1
SMEServer version 5.0
These updates address the following security issue

Remotely-exploitable denial of service attack in ASN1 libraries in the OpenSSL cryptographic libraries (CAN-2002-0659). A detailed advisory is located at

    http://rhn.redhat.com/errata/RHSA-2002-160.html
"

Here is a transcript of my session:

[root@SME1 updates]# rpm -Uvh --replacepkgs *.rpm
Preparing...                ########################################### [100%]
   1:apache                 ########################################### [  7%]
   2:libtool-libs           ########################################### [ 15%]
   3:libxml2                ########################################### [ 23%]
   4:openssl                ########################################### [ 30%]
   5:openssh                ########################################### [ 38%]
   6:openssh-clients        ########################################### [ 46%]
   7:openssh-server         ########################################### [ 53%]
   8:pspell                 ########################################### [ 61%]
   9:php                    ########################################### [ 69%]
  10:php-imap               ########################################### [ 76%]
  11:php-ldap               ########################################### [ 84%]
  12:php-mysql              ########################################### [ 92%]
Stopping sshd:[   OK   ]
Starting sshd:[   OK   ]
[root@SME1 updates]# /sbin/e-smith/signal-event post-upgrade
/var/tmp/rpm-tmp.52921: /etc/rc7.d/S86httpd-admin: No such file or directory
/var/tmp/rpm-tmp.52921: /etc/rc7.d/S85httpd-e-smith: No such file or directory

Two questions:

1. Are the two error messages a problem?
2. How can I tell if my system has been compromised prior to applying the update?

[Al Church]

Two Questions:

1. Is there a reason the the updates are not showing up as Blades? I can see why Mitel would not want to put regular updates in the blades, but shouldn't security issues be important enough to superceed Mitel's reasons for not using blades for people that haven't purchased service link?

2. How can I tell if I was "infected" with this worm? (5.1.2 Upade 2 (latest blade) I went through and manually updated, but the contol panel says that I have update 2 ** Modified.

[Peter Hollandare]

Al : by typing this : netstat -ntl |grep 2002 , or check in /tmp/ <- only file that should be there (normaly) is a temp file, created by apache.

[Drew]

Peter,

My /tmp folder has two (2) files listed:

Name                    Size            MTime
authfail.log.unsort     0               Oct 7 03:30
session_mm.sem     0               Oct 7 04:02

Does this mean the SME server has been compromised by the Open SSL Worm?  If so, what do I do now to fix?  Thanks.

Drew