topic Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE in Operating System - HP-UX

Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

Laurie_2 — Fri, 13 Sep 2002 20:47:56 GMT

I just got a mesage about a security
potential problem = Denial of Service

For HP-UX 11.00 (and up) and Apache SSL
1.3.26 or lower.

We are using 1.3.22.

http://online.securityfocus.com/advisories/4469

Can someone tell me if they are reinstalling
the lastest Apache? I know from MoreNet
that a whole bunch of Linux servers are
affected, no unix yet.

Are folks worried? How can I be sure
about my Apache version and SSL version?

I am trying to understand the URL...What
do they want us to do?
Laurie

Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

harry d brown jr — Sat, 14 Sep 2002 00:51:04 GMT

The advisory gives a clear answer, so I'd go with the provided solution. Any other would be dangerous and irresponsible!

Of course the real answer lies within the infrastructure that you have built for protecting servers in the DMZ and servers within your internal network!

Routers, switches, firewalls, filters, bastion hosts (http://people.hp.se/stevesk/bastion.html), static IP routing, expose only what is necessary! I have web servers that are more secure than HP's virtual Vaults OS!

live free or die
harry

Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

Steven Sim Kok Leong — Tue, 17 Sep 2002 04:47:04 GMT

Hi,

The Slapper worm currently affects only Apache on Linux be it RedHat, Debian or Mandrake etc. running a vulnerable version of OpenSSL.

You should be installing the latest apache 1.3.26 or the vendor's release of a patched apache below version 1.3.26. This is because unpatched versions of apache below 1.3.26 are subject to chunk encoding vulnerabilities.

Unpatched OpenSSL 0.9.6d or below is vulnerable. The slapper worm exploits this vulnerability.

It is likely that HP's release of Apache has the patched OpenSSL built in.

Look at CERT CA-2002-23 and CA-2002-27 w.r.t. OpenSSL vulnerabilities. You can find them at http://www.cert.org.

You should get suspicious if you notice a lot of UDP/2002 (src port udp/2002, dst port udp/2002) traffic directed inbound or outbound through your firewalls because this is the communication channel used for commanding DDoS attacks.

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

Steven Sim Kok Leong — Tue, 17 Sep 2002 04:53:24 GMT

Hi,

1) Apache Chunk Encoding Vulnerability (CA-2002-17)
- http://www.cert.org/advisories/CA-2002-17.html

2) OpenSSL Vulnerability (CA-2002-23 & CA-2002-27)
- http://www.cert.org/advisories/CA-2002-23.html
- http://www.cert.org/advisories/CA-2002-27.html

Hope this helps. Regards.

Steven Sim Kok Leong

Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

Laurie_2 — Tue, 17 Sep 2002 14:16:42 GMT

OK Stupit Question here...

How do I tell what release I am running of

Apache
OpenSSL

Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

Cheryl Griffin — Tue, 17 Sep 2002 15:43:23 GMT

The cert says:
A. Background
The CERT Advisory CA-2002-23 regarding Multiple Vulnerabilities
In OpenSSL, affects the following HP product numbers:

B9415AA Apache 1.3.x HP-UX releases 11.00 and 11.11
B9416AA Apache 2.x HP-UX releases 11.00 and 11.11
B9415AA Apache 1.3.x HP-UX releases 11.20 and 11.22
B9416AA Apache 2.x HP-UX releases 11.20 and 11.22
B9416BA Apache 2.x IPv6 HP-UX release 11.11

To verify whether this version is installed or not:
# swlist |grep -i apache

The cert also says:
The command to stop the HP Apache binary is:
for 1.3.26:
/opt/apache/bin/apachectl stop
for 2.0.39:
/opt/hpapache2/bin/apachectl stop

So check for the existence of these binaries to determine your version also.

B. Fixing the problem
The fixes for all versions are in the form of new product bundles, instead of patches. To retrieve them, go to www.software.hp.com/ISS_products_list.html
Install Apache versions 1.3.26.05 or 2.0.39.05.

The cert also says:
"Installation of this new version of HP Apache over an existing HP Apache installation is supported, while installation over a non-HP Apache is NOT supported."

Cheryl

Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

Cheryl Griffin — Tue, 17 Sep 2002 15:45:25 GMT

HP provides automatic notification of Security Bulletins: Connect to the ITRC --> Maintenance & Support tab (at the left of screen) --> under Notifications --> Support

Information Digests --> select the check box for Security Bulletins Digest. To see archived security digests, scroll to the bottom of the page and follow the link.

If you subscribe by hitting a checkbox, be sure to hit the UPDATE Subscriptions button at the bottom of the page.

*** security_patch_check
security_patch_check is a tool which can be used to download the latest data about security patches and compare it to the software installed on the system. The tool reports which security patches are missing from a system based on the It reports the "best" patch to install. Also, any recalled patches which are present on the system will be reported. It works through a firewall, with the help of a web-proxy or similar network device.

security_patch_check tool is supported on 11.00, 11.04, 11i (11.11), and future releases of 11i. security_patch_check is available for download from http://software.hp.com/ as of March 16, 2001.

Cheryl

Re: Vulnerability in Apache OpenSSL - ALERT SECURITY ISSUE

Steven Sim Kok Leong — Wed, 18 Sep 2002 08:31:13 GMT

Hi,

To tell the version of apache or ssl you are running, you can use either netcat or simply telnet:

# telnet my_hp_web_server 80
HEAD / HTTP/1.0

If your apache httpd.conf did not set ServerSignature to off and ServerTokens to Prod, you will see the version of apache and ssl displayed.

If you want to mask this information off, set ServerSignature to off and ServerTokens to Prod. However, this does not stop the worm because the worm relies on detecting the string "apache" from the header before launching an intrusion attempt. You can't mask off the string "apache".

Hope this helps. Regards.

Steven Sim Kok Leong