-----BEGIN PGP SIGNED MESSAGE----- Cisco Security Advisory: "Code Red" Worm Customer Impact Revision 1.0 For public release 2001 July 20 12:00 UTC _________________________________________________________________ Summary A malicious self replicating program known as the "Code Red" worm is targeted at systems running the Microsoft Internet Information Server (IIS). Several Cisco products are installed or provided on targeted systems. Additionally, the behavior of the worm can cause problems for other network devices. The following Cisco products are vulnerable because they run affected versions of Microsoft IIS: * Cisco CallManager * Cisco Unity Server * Cisco uOne * Cisco ICS7750 Other Cisco products may also be adversely affected by the "Code Red" worm. Please see the Affected Products section for further details. The worm and its effects may be remedied by applying the Microsoft patch to affected servers, http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS01-033.asp. This advisory is available at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml . Affected Products The following Cisco products are directly vulnerable because they run affected versions of Microsoft IIS: * Cisco CallManager * Cisco Unity Server * Cisco uOne * Cisco ICS7750 * Cisco Building Broadband Service Manager Other Cisco products may be indirectly affected by the IIS vulnerability (this is not an exhaustive list): * Cisco 600 series of DSL routers that have not been patched per the Cisco Security Advisory, http://www.cisco.com/warp/public/707/CBOS-multiple.shtml , will stop forwarding traffic when scanned by a system infected by the "Code Red" worm. The power must be cycled to restore normal service. * Cisco Network Management products are not directly affected but might be installed on a Microsoft platform running a vulnerable version of IIS. Details The "Code Red" worm exploits a known vulnerability in Microsoft IIS by passing a specially crafted URI to the default HTTP service, port 80, on a susceptible system. The URI consists of binary instructions which cause the infected host to either begin scanning other random IP addresses and pass the infection on to any other vulnerable systems it finds, or launch a denial of service attack targeted at the IP address 198.137.240.91 which until very recently was assigned to www.whitehouse.gov. In both cases the worm replaces the web server's default web page with a defaced page at the time of initial infection. The worm does not check for pre-existing infection, so that any given system may be executing as many copies of the worm as have scanned it, with a compounding effect on system and network demand. As a side-effect, the URI used by the worm to infect other hosts causes Cisco 600 series DSL routers to stop forwarding traffic by triggering a previously-published vulnerability. Any 600 series routers scanned by the "Code Red" worm will not resume normal service until the power to the router has been cycled. The nature of the "Code Red" worm's scan of random IP addresses and the resulting sharp increase in network traffic can noticeably affect Cisco Content Service Switches and Cisco routers running IOS, depending on the device and its configuration. Unusually high CPU utilization and memory starvation may occur. Impact The "Code Red" worm is causing widespread denial of service on the Internet and is compromising large numbers of vulnerable systems. Once infected, the management of a Cisco CallManager product is disabled or severely limited until the defaced web page is removed and the original management web page is restored. Software Versions and Fixes Microsoft has made a patch available for affected systems at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS01-033.asp . Cisco is providing the same patch at http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=c isco/voice/callmgr/win-IIS-SecurityUpdate-2.exe&swtype=FCS&code=&size= 246296 with documentation at http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=c isco/voice/callmgr/win-IIS-SecurityUpdate-Readme-2.htm&swtype=FCS&code =&size=4541 Cisco Building Broadband Service Manager is documented separately at http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm50/ur gent.htm . Obtaining Fixed Software Cisco is making available software patches and upgrades to remedy this vulnerability for all affected Cisco customers. For most Cisco customers, upgrades are available through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts can obtain the patch directly from Microsoft or by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: * (800) 553 2447 (toll-free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * E-mail: tacat_private See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages. Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC or directly from Microsoft. Please do not contact either "psirtat_private" or "security-alertat_private" for software upgrades. Workarounds We recommend following the instructions in the Microsoft security bulletin for addressing the actual vulnerability. Exploitation and Public Announcements This issue is being exploited actively and has been discussed in numerous public announcements and messages. References include: * http://www.cert.org/advisories/CA-2001-19.html * http://www.eeye.com/html/Research/Advisories/AD20010618.html Status of This Notice: FINAL This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the information has been checked to the best of our ability. Should there be a significant change in the facts, Cisco may update this notice. Distribution This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: * cust-security-announceat_private * bugtraqat_private * firewallsat_private * first-teamsat_private (includes CERT/CC) * ciscoat_private * cisco-nspat_private * nanogat_private * incidentsat_private * comp.dcom.sys.cisco * Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on the Cisco Security Advisories page at http://www.cisco.com/go/psirt/, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History Revision 1.0 2001-Jul-20 Initial public release Cisco Product Security Incident Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml . This includes instructions for press inquiries regarding Cisco security notices. _________________________________________________________________ This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. _________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQEVAwUBO1f3m2iN3BRdFxkbAQHFrQf9FkJJdW0EsGmOqKCjO+KACbE+G++pnY+X AOQRWvyV+XZwLo4VWAcS47A6p2e/hOEcqOBSgYYX8L+dbsF/8geHURhCTQB628kQ uvtc+A2q9rxIjLqrZcjda7rwZB9ISqXxRZbuTOomtKGx2n2CQ/4K67/j2QFYs+1P Mf02XKv4IUF1N6adKh23aJ0DILoFmge4b26V7NtHEDJ70fJyqSzk1z+soHlyeZ+z wGwUCMGfSlQr5uXhD5bJF8b5unYNiANy6lGS0uotjapNZN8JmbQeEjCX1Bf7bAlm 0l+LgwM7Q4Y0n7poXOw7Pw52r3bcL2XuxTY4BJSl97Fbt3daUxPiVw== =7r1T -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 07:41:00 PDT