IDGNet Virus & Security Watch Friday 20th September 2002

This issue's topics: Introduction: * Worm routs Linux boxes, Windows RDP & VM patches, WebSphere, SSL & NetBSD updates Virus News: * New worm a bit of a Slapper Security News: * Patch fixes information leak in RDP for Windows 2000, XP * Windows Virtual Machine update fixes three vulnerabilities * My word - no patch for that? * WebSphere patch fixes server denial of service flaw * Updated OpenSSl/mod_ssl packages * Multiple NetBSD security updates

This issue's topics:

Introduction:

* Worm routs Linux boxes, Windows RDP & VM patches, WebSphere, SSL & NetBSD updates

Virus News:

* New worm a bit of a Slapper

Security News:

* Patch fixes information leak in RDP for Windows 2000, XP

* Windows Virtual Machine update fixes three vulnerabilities

* My word - no patch for that?

* WebSphere patch fixes server denial of service flaw

* Updated OpenSSl/mod_ssl packages

* Multiple NetBSD security updates

Introduction:

Most of the interest in the security and antivirus communities this last week has been focussed on the Slapper worm that compromised thousands of Linux web servers through a bug in their SSL code. There's little, if anything, to say that isn't mentioned in the linked pages below, so enjoy the read...

On the security patches side of things, obviously anyone runnig a possibly vulnerable version of OpenSSL/mod_ssl should check to make sure they are not open to Slapper, which although tailing off now is still running out there and getting some new victims. What has been somewhat over-empasised in all the talk about Slapper is that it is Linux-specific. That makes the threat profile higher for users of x86 Linux machines, but the vulnerability could be exploited on many other platforms that also popularly support OpenSSL/mod_ssl.

Aside from SSL worries, Windows administrators should check the two latest Microsoft security bulletins and Word users in generalk, and particularly Word 97 users, should read about the silent data theft mechanism built into that product (a crash course on the purpose of the Alt-F9 key would probably be advisable...). WebSphere on multiple OSes has an update for a serious buffer overflow problem and NetBSD has a large number of security patches apparently designed to coerce users to move to the 1.6 build.

Virus News:

* New worm a bit of a Slapper

It is not often CERT releases advisories about network worms, but this happened shortly after the previous newsletter was maioled out. A worm named Slapper by most sources, but also referred to as Modap and 'the Apache/mod_ssl worm' was first seen in Europe on Friday last week (early Saturday morning here). When run on a victim machine, Slapper targets randomly chosen machines. If it successfully overflows a vulnerable buffer in the version of mod_ssl on the victim, it then sends a copy of its source code and issues commands to compile itself on the victim and then to run the newly built copy of itself, starting the cycle on that new victim.

The mod_ssl vulnerability was publicly disclosed just six weeks prior to Slapper's appearance and it appears that a reasonable number of vulnerable machines have still not been patched. Note that although Slapper specifically has code to determine the version of Linux running on a potential victim machine. It does this by checking to see if Apache is running and if so, what OS flavour and kernel build it is running on. This information is used to choose a suitable memory location to direct the overflow to so the overflow payload gains control and spreads the worm. Thus, although the version of the worm found last weekend is Linux-specific (and only likely to work at all reliably on the 21 combinations it specifically tests for), its general approach could easily be adapted for some other OSes also running vulnerable versions of mod_ssl.

Aside from propagating, Slapper also sets its victims up as agents in a potential DDoS network. This network is coordinated via control messages sent between the member nodes on UDP port 2002. The CERT Coordination Center advisory has a good overview, so is listed with the usual antivirus vendor descriptions. Note there are two links to F-Secure's site - the first is their virus description and the second an interesting Slapper information page including some statistics of the observed size and growth of the worm's DDoS network. Users of OpenSSL and mod_ssl should double-check their current patch levels, as per the advice in the 'Updated OpenSSl/mod_ssl packages' itemn in the 'security' section of this newsletter.

Finally, Jon Lasser, one of the regular columnists on the web site of computer security specialists SecurityFocus was hit by Slapper. His column this week describes a little of what happened and the lessons to take from this incident.

CERT Advisory CA-2002-27 Apache/mod_ssl Worm

Slapped Silly - securityfocus.com

Computer Associates Virus Information Center

F-Secure Security Information Center

F-Secure Global Slapper Worm Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Patch fixes information leak in RDP for Windows 2000, XP

Users of Windows 2000 Terminal Server and/or the Remote Desktop service on XP machines should obtain and install the latest RDP patch from Microsoft. These patches fix two vulnerabilities, although one of them only affects XP (but can cause affected machines to spontaneously reboot). The other vulnerability is a serious weakness in the encryption used to protect the content of the remote user's keystrokes, mouyse moves, etc which can allow someone who can sniff the network to decrypt the contents of the session. Microsoft rates vulnerabilities as being of 'moderate' severity.

NT 4.0 Terminal Server is not affectd by either flaw. Although the patch for XP is available separately, it has already shipped in SP1, covered in last week's newsletter, so should not be needed if SP1 has already been installed. atches for Windows 2000 Terminal Servers are available now and will be included in SP4 - they install on machines running SP2 or SP3.

Microsoft Security Bulletin MS02-051

* Windows Virtual Machine update fixes three vulnerabilities

Administrators of machines running any Windows OSes should read the security bulletin linked below to determine what course of action, if any, is necessary to ensure their Windows VM installations are up to date with the latest patches. Microsoft has released fixes for three vulnerabilities, two of which are rated 'critical' and one of which could allow an attacker to remotely take control of the victim's machine. If patches are needed, they must be obtained from Windows Update - joy...

Microsoft Security Bulletin MS02-052

* My word - no patch for that?

Several weeks ago Alex Gantman from Qualcomm posted a message to the Bugtraq mailing list explaining how certain field codes in Microsoft Word documents could be used to silently 'steal' entire files from the machine of someone you could convince to open and save a document. This set the proverbial cat among the pigeons, with one of the best known Word 'How to...' book authors suggesting this might be 'The Biggest Word 97 Security Hole Yet'.

The trick revolves around a cunning use of the 'INCLUDETEXT' field code embedded inside other field codes. These can quite effectively hide the action of the INCLUDETEXT field pulling the contents of a second file into the current document. This problem is especially bad for Word 97 users however, as the whole thing can be made to work not only silently and invisibly, but automatically. This seems to be due to a quirk in Word 97's handling of DATE fields, but the details are not important here - teh fact is, it works. And, unlike with all the nasty macro-based tricks of yore, there is no security option to warn of the presence of such fields when opening a document, that they may auto-update or mechanisms for disabling certain of the more problematic field code functions.

This week Microsoft finally responded to the fuss. Unfortunately for Word 97 users, the product is now considered almost obsolete - at least it outside the purview of normal product upgrade cycles so fixes for this problem in Word 97 will not be forthcoming from Microsoft. Aside from this, the Microsoft statement is another example of spin rather than informed comment, with several of the mitigating factors either being incorrectly stated (so as to further downplay the perceived threat) or version-conditional in that under Word 97 some of the mitigating factors do not apply.

We have linked an archived copy of the original Bugtraq mailing list

message and Microsoft's response.

Archived Bugtraq list message - securityfocus.com

Reported Microsoft Word Fields Vulnerability - microsoft.com

* WebSphere patch fixes server denial of service flaw

WebSphere 4.0.3 is vulnerable to a relatively trivial denial of service attack centred around overflowing a buffer handling a part of a URL request. Arguments to part of the URL request larger than about 4KB have been shown to trigger overflows that can crash the server process. PQ62144 is the solution, available for the various OSes WebSphere supports from the advisory linked below.

Possible security exposure with web servers plugin - ibm.com

* Updated OpenSSl/mod_ssl packages

Various Linux distributions have released revised packages for some of the patches necessary to fix all OpenSSL and mod_ssl issues raised by the Slapper worm (see the story in the Virus section of this issue). Administrators of Linux machines who think they have the necessary 0.9.6e mod_ssl patches should check with their vendors to ensure that they are, in fact, fully up to date. The 0.9.6e release was the minimum patchlevel to fix the vulnerability that Slapper exploits, but as of this writing, 0.9.6g is the latest release.

* Multiple NetBSD security updates

The NetBSD maintainers have produced a new release, NetBSD 1.6, that incorporates several major security fixes, or revisions to earlier security fixes. These fixes mainly involve applications that statically link libc and are due to a several recent fixes to that crucial library, but there are some kernel patches too. In total there are 13 advisories covering all these issues. Although three of these advisories had not been released when this was written (they were being held for disclosure coordination between several vendors), the fixes covered by those advisories are in the 1.6 build. The problems of rebuilding a whole release of previous versions of NetBSD means that there is not such a build yet (and there may never be an official one by the sounds of things). Users of pre-1.6 versions are therefore strongly recommended to upgrade to NetBSD 1.6.

NetBSD administrators wishing to work this all out should consult the 'Recent Advisories' section of the NetBSD Security page, linked below.

Security and NetBSD - netbsd.org

Join the newsletter!

Error: Please check your email address.

More about ApacheCA TechnologiesCERT AustraliaF-SecureKasperskyKasperskyLinuxMicrosoftQualcommSecurityFocusSophosSymantecTrend Micro Australia

Show Comments
[]