News from PANUG/BizNix - September 18, 2002 http://panug.org - http://biznix.org Our DSL circuit went out as this message was being sent. Apologies if you received this twice. PANUG MEETING The PANUG user group's monthly meeting is tomorrow, September 19 at 6:15 pm. The presentation will cover Novell's iFolders. iFolders is a WebDAV-like application that allows mobile users to store data on a centralized file server. Unlike remote file systems like CIFS, iFolders is more secure and can be deployed without having to reconfigure your company firewall or deploy a VPN. Visit the PANUG Web site for meeting location. http://panug.org SLAPPER by Ed Sawicki - Accelerated Learning Center / Tailored Computers Apache finally has a security problem as serious as IIS Code Red and Nimda. Maybe now managers will consider Apache a serious piece of software. :-) It's called Linux.Slapper.Worm, though the problem is not with Linux. The problem is with the OpenSSL software used by Apache. When infected, the worm takes part in a network of infected machines that can be told to attack a target. Essentially, a distributed denial of service attack. Pretty serious. The Linux folks are going to get pounded on for this one - even though it's not a Linux problem. The worm looks for potential victims by sending an invalid HTTP request, which forces an error response from the Web server. If it sees that the Web server is running Apache and SSL, it compiles itself on the machine using a known exploit in OpenSSL. The infected machine then begins to scan the Internet for another machine to infect. Given the above description of how the worm finds victims, it's possible the attack can be thwarted by making sure this statement is in your Apache configuration file: ServerTokens Prod This prevents Apache from telling the world that it supports SSL. I don't know if it prevents attack. I don't have a copy of the worm. My servers have not been victims. The obvious solution to this problem is to upgrade to the latest version of OpenSSL - 0.9.6e or newer. However, you'll also need to recompile any applications that use the OpenSSL libraries. This is why I like to always install from source rather than from packages. Since the problem is with OpenSSL and not Apache or Linux, other solutions that limit your exposure to future security problems of this type come to mind. A good example is the Apache Web server used by PANUG and BizNix. It does not run OpenSSL. Another Linux computer runs Apache/SSL for secure transactions. The Apache/SSL server might fall victim to this attack but not the server that serves up content. By planning ahead, understanding security issues, and using common sense, we avoided falling victim to this attack - months before this attack was known about. If the thought of requiring two computers is not appealing, you can run both copies of Apache on the same computer. Note that I don't yet know if this OpenSSL exploit results in the worm having root access. If it does, you can use User Mode Linux to achieve some insulation between the two Web servers even though they're running on one computer.