lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: John.Airey at rnib.org.uk (John.Airey@...b.org.uk)
Subject: The last word on the Linux Slapper worm

There has been a lack of information about the potential for damage around
the Linux Slapper worm, and posts to the bugtraq list ranging from the
sublime to the ridiculous. I am hoping that this post will clear up any
doubts people may have about the vulnerabilities of their systems. It
appears that the Linux vendors and openssl had been working together to
produce an update to the vulnerability that was exploited by this worm.
However, none of the openssl maintainers other than Mark Cox of Red Hat
knows anything about this from what I can gather.

Red Hat have a statement on their home page regarding the vulnerability of
their systems.

http://www.redhat.com/support/alerts/linux_slapper_worm.html 

Suse recently posted to the bugtraq list that their systems weren't
affected. Of these two, only Red Hat have updated the recent CERT
notification at http://www.cert.org/advisories/CA-2002-27.html. I haven't
seen any other vendors post information to either this list or bugtraq, and
apologise now if I've missed one.

The bottom line is that the update for openssl that was released around the
beginning of August protects systems against the Linux Slapper worm. I
haven't checked other Linux vendors sites, but a search of this list's
archives should hopefully show the exact dates of the update.

On a personal note, I contacted Red Hat directly by telephone having not
seen an update almost six weeks since the original vulnerability was
released and was advised to log this as a bug. At this point it was my
(mis)understanding that an update was still due to come out. I duly did this
via their "bugzilla" site: 

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312

I then informed the openssl support list of this bug report with the promise
to let them know the result. At this point I found out what I've stated
above. I never saw the link from Red Hat's home page because it was too far
down the page and anyway I was looking for information on the errata pages
(http://www.redhat.com/errata/). These pages do not contain enough
information to reassure system administrators that their systems are
protected against the vulnerability that this worm exploits. Neither does
the "changelog" of the affected package (which I am assured will be better
in future).

I do not believe that I am the only Linux admin who has been waiting for an
update from my vendor when in fact none was needed. Worse still, the media
who have covered this have also got their facts wrong. For example, Computer
Weekly stated falsely that you need to upgrade to openssl 0.9.6g
http://www.cw360.com/bin/bladerunner?REQSESS=ri42U88C&REQAUTH=0&2149REQEVENT
=&CARTI=115793&CARTT=1&CCAT=1&CCHAN=13&CFLAV=1

In the end Linux Slapper is a non-event, as responsible admins would have
had their systems up to date well before this worm was written, especially
as the update doesn't require a reboot like in the "evil" Windows world. I
believe that the whole disclosure of both the vulnerability and the
existence of the worm has been badly handled by CERT, Bugtraq and all of the
Linux Vendors. Were I writing a school report, I'd put "could do better"!

It's probably worth me pointing out that I sent a version of the above to
the bugtraq list which has yet to be approved, if at all. 

- 
John Airey, BSc (Jt Hons), CNA, RHCE 
Internet systems support officer, ITCSD, Royal National Institute of the
Blind, 
Bakewell Road, Peterborough PE2 6XU, 
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey@...b.org.uk 

Reality TV - the ultimate oxymoron 

- 

NOTICE: The information contained in this email and any attachments is 
confidential and may be legally privileged. If you are not the 
intended recipient you are hereby notified that you must not use, 
disclose, distribute, copy, print or rely on this email's content. If 
you are not the intended recipient, please notify the sender 
immediately and then delete the email and any attachments from your 
system.

RNIB has made strenuous efforts to ensure that emails and any 
attachments generated by its staff are free from viruses. However, it 
cannot accept any responsibility for any viruses which are 
transmitted. We therefore recommend you scan all attachments.

Please note that the statements and views expressed in this email 
and any attachments are those of the author and do not necessarily 
represent those of RNIB.

RNIB Registered Charity Number: 226227

Website: http://www.rnib.org.uk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ