TUCoPS :: Malware :: ciacl120.txt

CIAC L-120 Cisco Code Red Worm Impact

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                          Cisco "Code Red" Worm Impact
                     [Cisco Security Advisory Revision 2.0]

July 20, 2001 19:00 GMT                                           Number L-120
[Revised August 2, 2001 - Cisco Revision 2.0]
[Revised August 9, 2001 - Cisco Revision 2.1]
______________________________________________________________________________
PROBLEM:       Cisco products may be installed or provided on systems that are 
               being targeted by the "Code Red" worm. 
PLATFORM:      These products are vulnerable because they run affected 
               versions of Microsoft IIS:
                 Cisco CallManager
                 Cisco Unity Server
                 Cisco uOne
                 Cisco ICS7750
                 Cisco Building Broadband Service Manager
                 IP/VC 3540 Applications Server
               These products may be vulnerable because of possible side-
               effects caused by the "Code Red" worm.  They are not directly 
               vulnerable to the Microsoft IIS exploit:
                 Cisco CSS 11000 series Content Service Switches
                 Cisco 600 series of DSL routers that have not been patched
                   for a previously published vulernability.
                 Various Cisco Network Management products.  See bulletin 
                   below for details.
DAMAGE:        Any product or platform running a vulnerable version of 
               Microsoft IIS may begin attempting to infect other systems with 
               varying degrees of success, and may cause a significant 
               increase in traffic load. 
               Once infected, the management of a Cisco CallManager product is 
               disabled or severely limited until the defaced web page is 
               removed and the original management web page is restored. 
               Cisco CSS 11000 Content Service Switches and unpatched Cisco 
               600 series DSL routers are vulnerable to a repeatable denial of 
               service until the software is upgraded. 
SOLUTION:      Apply Cisco fixes as outlined below.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. The "Code Red" worm can cause a variety of 
ASSESSMENT:    problems on Cisco products that may disable them. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/l-120.shtml 
 PATCHES:            Microsoft:
                     http://www.microsoft.com/technet/treeview/
                              default.asp?url=/technet/security/bulletin/
                              MS01-033.asp
                     Cisco:
                     http://www.cisco.com/warp/public/707/
                              cisco-code-red-worm-pub.shtml
                     http://www.cisco.com/warp/public/63/ts_codred_worm.shtml 
                     http://www.cisco.com/pcgi-bin/Software/Tablebuild/
                              doftp.pl?ftpfile=cisco/voice/callmgr/
                              win-IIS-SecurityUpdate-2.exe&swtype=FCS&
                              code=&size=246296
                     http://www.cisco.com/pcgi-bin/Software/Tablebuild/
                              doftp.pl?ftpfile=cisco/voice/callmgr/
                              win-IIS-SecurityUpdate-Readme-2.htm&
                              swtype=FCS&code=&size=4541
                     http://www.cisco.com/univercd/cc/td/doc/product/aggr/
                              bbsm/bbsm50/urgent.htm
                     http://www.cisco.com/warp/public/707/CBOS-multiple.shtml
                     http://www.cisco.com/
                     http://www.cisco.com/warp/public/687/Directory/
                              DirTAC.shtml
                     http://www.cisco.com/warp/public/63/
                              nbar_acl_codered.shtml
                     http://www.cisco.com/go/psirt/
                     http://www.cisco.com/warp/public/707/
                              sec_incident_response.shtml
______________________________________________________________________________

[ Update to L-120 on July 29, 2001 with addition tool information]

A tool has been released for the detection of the Code Red Worm.
You may download this tool from the following location:

http://www.eeye.com/html/Research/Tools/codered.html

[***** Start Cisco Security Advisory Revision 2.1 *****]

Cisco Security Advisory: "Code Red" Worm - Customer Impact

Revision 2.1

For Public Release 2001 July 20 12:00 UTC

Last Update 2001 August 8 20:00 UTC


Summary

A malicious self-replicating program known as the "Code Red" worm is targeted 
at systems running the Microsoft Internet Information Server (IIS). Several 
Cisco products are installed or provided on targeted systems. Additionally, 
the behavior of the worm can cause problems for other network devices. 

The following Cisco products are vulnerable because they run affected versions 
of Microsoft IIS: 

  Cisco CallManager 
  Cisco Unity Server 
  Cisco uOne 
  Cisco ICS7750 
  Cisco Building Broadband Service Manager 
  IP/VC 3540 Application Server 

Other Cisco products may also be adversely affected by the "Code Red" worm. 
Please see the Affected Products section for further details. 

The worm and its effects may be remedied by applying the Microsoft patch to 
affected servers: 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-033.asp. 

This advisory is available at 
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml.


Affected Products

The following Cisco products are directly vulnerable because they run affected
versions of Microsoft IIS: 
  Cisco CallManager 
  Cisco Unity Server 
  Cisco uOne 
  Cisco ICS7750 
  Cisco Building Broadband Service Manager 
  IP/VC 3540 Application Server 

The following Cisco products may be vulnerable due to side-effects caused by 
the "Code Red" worm. They are not directly vulnerable to the Microsoft IIS 
exploit: 

  Cisco IP/VC 3510 H.323 Videoconference Multipoint Control Units 
  Cisco Aironet Wireless products 
  Cisco CSS 11000 series Content Service Switches 
  Cisco 600 series of DSL routers that have not been patched for a previously 
  published vulnerability. 
  Various Cisco Network Management products may be installed on Microsoft 
  platforms that may be running a vulnerable version of IIS. Much older 
  versions of CiscoWorks 2000 RWAN/CWSI Campus v2.x and Cisco Voice Manager 
  v1.x are directly vulnerable because IIS was required as a part of the 
  installation. Such systems might be offering HTTP services on default ports.
  These specific software packages are no longer supported, but are included 
  in this notice to alert customers that might still be using them.


Details

At least two versions of the "Code Red" worm are known to exist. 

Both versions exploit a known vulnerability in Microsoft IIS by passing a 
specially crafted Uniform Resource Identifier (URI) to the default HTTP 
service, port 80, on a susceptible system. The URI in version 1 consists of 
binary instructions which cause the infected host to either begin scanning 
other random IP addresses and pass the infection on to any other vulnerable 
systems it finds, or launch a denial of service attack targeted at the IP 
address 198.137.240.91 which, until very recently, was assigned to 
www.whitehouse.gov. In both cases, the worm replaces the web server's default 
web page with a defaced page at the time of initial infection. Version 2 has 
the same behavior, except that it does not deface the default web page, and it 
no longer contains a hard-coded address for www.whitehouse.gov, opting instead 
to look up the address via DNS. 

Version 1 does not produce a truly random list of addresses to attack, whereas 
version 2 contains a fixed randomizer that will attempt all possible IP 
addresses except those beginning with 127.x.x.x or 224.x.x.x. The worm does not
check for pre-existing infection, so that any given system may be executing as 
many copies of the worm as have scanned it, with a compounding effect on system
and network demand. 

Cisco products that are directly vulnerable because they use IIS can be 
repaired by applying the recommended patches from Microsoft. Workarounds are 
available as a temporary measure. 

Side-effects caused by the worm can expose unrelated problems on other 
products. When the traffic from the worm reaches a significant level, a Cisco 
CSS 11000 series Content Service Switch may suffer a memory allocation error 
that leads to memory corruption and will require a reboot. The defect is 
documented in DDTS CSCdu76237. Traffic from the worm can trigger a defect in 
the IP/VC 3510 Videoconference Multipoint Control Unit which is documented in 
DDTS CSCdv01788. Traffic from the worm can trigger a defect in the Cisco 
Aironet Wireless devices, which is documented in DDTS CSCdv01662. 

As a separate side-effect, the URI used by the worm to infect other hosts 
causes Cisco 600 series DSL routers to stop forwarding traffic. An affected 
600 series router that has been scanned by the "Code Red" worm may not resume 
normal service until the power has been cycled. A workaround exists for this 
problem and is documented in the workarounds section of this document. 

The nature of the "Code Red" worm's scan of random IP addresses and the 
resulting sharp increase in network traffic can noticeably affect Cisco 
routers running Cisco IOS software, depending on the device, its current 
configuration, and the topology of the network. Unusually high CPU utilization 
and memory starvation may occur, and it can be mitigated in many cases simply 
by refining the configuration. Troubleshooting and configuration 
recommendations are available at this location: 
http://www.cisco.com/warp/public/63/ts_codred_worm.shtml 


Impact

The "Code Red" worm is causing widespread denial of service on the Internet 
and is compromising large numbers of vulnerable systems. It may resume attacks 
on or about 2001 Aug 01 because of the number of unpatched vulnerable systems 
that remain. Any product or platform running a vulnerable version of Microsoft 
IIS may begin attempting to infect other systems with varying degrees of 
success, and may cause a significant increase in traffic load. 

Once infected, the management of a Cisco CallManager product is disabled or 
severely limited until the defaced web page is removed and the original 
management web page is restored. 

Cisco CSS 11000 Content Service Switches, Cisco IP/VC 3510 H.323 
Videoconference Multipoint Control Units, Cisco Aironet Wireless Bridge/Access
Point, and Cisco 600 series DSL routers are vulnerable to a repeatable denial o
f service until the software is upgraded, or workarounds are applied. 


Software Versions and Fixes

Microsoft has made a patch available for affected systems at 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-033.asp.

Cisco is providing the same patch at 
http://www.cisco.com/pcgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/
voice/callmgr/win-IIS-SecurityUpdate-2.exe&swtype=FCS&code=&
size=246296.

Documentation is available at http://www.cisco.com/pcgi-bin/Software/
Tablebuild/doftp.pl?ftpfile=cisco/voice/callmgr/
win-IIS-SecurityUpdate-Readme-2.htm&swtype=FCS&code=&size=4541.

The Cisco Building Broadband Service Manager is documented separately at 
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm50/urgent.htm. 

The Cisco CSS 11000 Content Service Switch memory allocation error is fixed in
versions R3.10 B78s, R4.01 B41s, R4.10 B21s, R5.0 B8s, and R5.01 B5. 

The Cisco 6xx series vulnerability has been previously documented at 
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml and is fixed in the 
latest releases of software.


Obtaining Fixed Software

Cisco is providing software patches and upgrades to supported products to 
remedy the vulnerability for all affected Cisco customers. 

For most Cisco customers, upgrades are available through the Software Center 
on Cisco's Worldwide Web site at http://www.cisco.com/. 

Customers without contracts can obtain the patch directly from Microsoft or by
contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as 
follows: 

  (800) 553 2447 (toll-free from within North America) 
  +1 408 526 7209 (toll call from anywhere in the world) 
  E-mail: tac@cisco.com 

See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including instructions and e-mail addresses for use 
in various languages.

Give the URL of this notice as evidence of your entitlement to a free upgrade.
Free upgrades for non-contract customers must be requested through the TAC or 
directly from Microsoft. Please do not contact either "psirt@cisco.com" or 
"security-alert@cisco.com" for software upgrades. 


Workarounds

We recommend following the instructions in the Microsoft security bulletin for
addressing the actual vulnerability in IIS. 

Workaround for CSS11000 Series Products

The memory allocation problem on the CSS 11000 Content Service Switches can be
worked around by restricting XML access as shown: 

  configure
  restrict xml

Workaround for Cisco 600 Series Products

To disable web management on port 80, set the web management port to some 
number greater than 1024, and configure the web remote address for a 
non-routeable address. 

  set web port number_greater-than_1024
  set web remote 10.10.10.10

Workaround for Cisco Aironet Wireless Bridge or Access Point: Disable Web 
Management

For the AP4800 series and Aironet Bridge devices, from the management console,
select option 1 (Configuration Menu), then select option 4 (console menu), 
then check the setting of option 5 (Http). If setting is OFF, then web 
management is disabled. If setting is ON, select option 5 (Http) to toggle 
setting to OFF. 

To avoid unnecessary handling of HTTP requests by Cisco routers running IOS, 
disable the HTTP server by applying: 

  no ip http server

while in global configuration mode. If HTTP service is needed, consider 
restricting access by applying an access list command. 

*NEW INFORMATION* Additional Workarounds for Handling "CodeRed" Traffic

Utilize NBAR feature to identify and block "CodeRed" traffic; discussed in 
detail at http://iponeverything.net/CodeRed.html
This workaround is applicable in Cisco IOS® Software version 12.1(5)T and 
later for many platforms. 

Classify inbound Code Red traffic with the class-based marking feature in IOS. 

  Router(config)#class-map match-any http-codered
  Router(config-cmap)#match protocol http url "*default.ida*"
  Router(config-cmap)#match protocol http url "*cmd.exe*"
  Router(config-cmap)#match protocol http url "*root.exe*"

Mark inbound Code Red traffic with a policy map. 

Once the inbound traffic has been classified as Code Red, it can be marked 
with a specific DSCP. For this example, a decimal value of '1' is used as it 
is unlikely that any other traffic would be marked with this DSCP. 

  Router(config)#policy-map mark-inbound-http-codered
  Router(config-pmap)#class http-codered
  Router(config-pmap)#set ip dscp 1

Apply the service policy to the 'outside' interface so inbound traffic will be
marked. 

  Router(config)#int e 0/1
  Router(config-if)#service-policy input mark-inbound-http-codered

Block marked Code Red attempts with an ACL. The ACL will match on the DSCP 
value of '1' that was marked as the Code Red attempt entered in the box. 

  Router(config)#access-list 105 deny ip any any dscp 1 log
  Router(config)#access-list 105 permit ip any any

Apply it outbound on the 'inside' interface where the target web servers are. 

  Router(config)#int e 0/1
  Router(config-if)#ip access-group 105 out

Further router configuration options for dropping specific Code Red related 
traffic are located at the following URL: 
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml 


Workaround for Cisco Cache/Content Engine Products

Additionally, Cisco Content Engines or Cisco Cache Engines can be configured 
to block "Code Red" associated traffic with a filter ruleset as described 
below. 

Cache Engine/Content Engine 

  rule enable
  rule block url-regex .*\.ida.*


Exploitation and Public Announcements

This issue is being exploited actively and has been discussed in numerous 
public announcements and messages. References include: 

  http://www.cert.org/advisories/CA-2001-19.html 
  http://www.eeye.com/html/Research/Advisories/AD20010618.html

The additional workarounds in this advisory utilizing the NBAR feature have 
been provided through the work of Randall Benn. 


Status of This Notice: FINAL

This is a final notice. Although Cisco cannot guarantee the accuracy of all 
statements in this notice, all of the information has been checked to the best
of our ability. Should there be a significant change in the facts, Cisco may 
update this notice. 


Distribution

This notice will be posted on Cisco's Worldwide Web site at 
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml. 
In addition to Worldwide Web posting, a text version of this notice is 
clear-signed with the Cisco PSIRT PGP key and is posted to the following 
e-mail and Usenet news recipients: 

  cust-security-announce@cisco.com 
  bugtraq@securityfocus.com 
  firewalls@lists.gnac.com 
  first-teams@first.org (includes CERT/CC) 
  cisco@spot.colorado.edu 
  cisco-nsp@puck.nether.net 
  nanog@nanog.org 
  incidents@securityfocus.com 
  comp.dcom.sys.cisco 
  Various internal Cisco mailing lists 

Future updates of this notice, if any, will be placed on the Cisco Security 
Advisories page at http://www.cisco.com/go/psirt/, but may or may not be 
actively announced on mailing lists or newsgroups. Users concerned about this 
problem are encouraged to check the URL given above for any updates.

Revision History

+----------+-------------------+--------------------------------------------+
| Revision | 2001-Jul-20 12:00 | Initial public release                     |
| 1.0      | UTC               |                                            |
+----------+-------------------+--------------------------------------------+
| Revision | 2001-Jul-23 12:00 | Made Microsoft patch URL visible, and      |
| 1.1      | UTC               | changed relative links to fully qualified. |
+----------+-------------------+--------------------------------------------+
| Revision | 2001-Jul-31 20:00 | Updated to include CSS 11000 and old       |
| 2.0      | UTC               | network management platforms.              |
+----------+-------------------+--------------------------------------------+
| Revision | 2001-Aug-08 20:00 | Updated Workaround section and Affected    |
| 2.1      | UTC               | Products                                   |
+----------+-------------------+--------------------------------------------+

Cisco Product Security Incident Procedures

Complete information on reporting security vulnerabilities in Cisco products, 
obtaining assistance with security incidents, and registering to receive 
security information from Cisco, is available on Cisco's Worldwide Web site at 
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This 
includes instructions for press inquiries regarding Cisco security notices.


This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be 
redistributed freely after the release date given at the top of the text, 
provided that redistributed copies are complete and unmodified, including all 
date and version information.

All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights 
reserved. 

[***** End Cisco Security Advisory Revision 2.1 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-110: HP Open View Event Correlation Services Vulnerability
L-111: FreeBSD Signal Handling Flaw
L-112: Cisco SN 5420 Storage Router Vulnerabilities
L-113: Microsoft Outlook View Control Exposes Unsafe Functionality 
L-114: Hewlett-Packard login Vulnerability 
L-115: Hewlett-Packard dlkm Vulnerability
L-116: Lightweight Directory Access Protocol (LDAP) Vulnerabilities 
L-117: The Code Red Worm 
L-118: Hewlett-Packard ftpd and ftp Vulnerability 
L-119: Hewlett-Packard mkacct Program Vulnerability








TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH