__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Center
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Cisco "Code Red" Worm Impact
[Cisco Security Advisory Revision 2.0]
July 20, 2001 19:00 GMT Number L-120
[Revised August 2, 2001 - Cisco Revision 2.0]
[Revised August 9, 2001 - Cisco Revision 2.1]
______________________________________________________________________________
PROBLEM: Cisco products may be installed or provided on systems that are
being targeted by the "Code Red" worm.
PLATFORM: These products are vulnerable because they run affected
versions of Microsoft IIS:
Cisco CallManager
Cisco Unity Server
Cisco uOne
Cisco ICS7750
Cisco Building Broadband Service Manager
IP/VC 3540 Applications Server
These products may be vulnerable because of possible side-
effects caused by the "Code Red" worm. They are not directly
vulnerable to the Microsoft IIS exploit:
Cisco CSS 11000 series Content Service Switches
Cisco 600 series of DSL routers that have not been patched
for a previously published vulernability.
Various Cisco Network Management products. See bulletin
below for details.
DAMAGE: Any product or platform running a vulnerable version of
Microsoft IIS may begin attempting to infect other systems with
varying degrees of success, and may cause a significant
increase in traffic load.
Once infected, the management of a Cisco CallManager product is
disabled or severely limited until the defaced web page is
removed and the original management web page is restored.
Cisco CSS 11000 Content Service Switches and unpatched Cisco
600 series DSL routers are vulnerable to a repeatable denial of
service until the software is upgraded.
SOLUTION: Apply Cisco fixes as outlined below.
______________________________________________________________________________
VULNERABILITY The risk is HIGH. The "Code Red" worm can cause a variety of
ASSESSMENT: problems on Cisco products that may disable them.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-120.shtml
PATCHES: Microsoft:
http://www.microsoft.com/technet/treeview/
default.asp?url=/technet/security/bulletin/
MS01-033.asp
Cisco:
http://www.cisco.com/warp/public/707/
cisco-code-red-worm-pub.shtml
http://www.cisco.com/warp/public/63/ts_codred_worm.shtml
http://www.cisco.com/pcgi-bin/Software/Tablebuild/
doftp.pl?ftpfile=cisco/voice/callmgr/
win-IIS-SecurityUpdate-2.exe&swtype=FCS&
code=&size=246296
http://www.cisco.com/pcgi-bin/Software/Tablebuild/
doftp.pl?ftpfile=cisco/voice/callmgr/
win-IIS-SecurityUpdate-Readme-2.htm&
swtype=FCS&code=&size=4541
http://www.cisco.com/univercd/cc/td/doc/product/aggr/
bbsm/bbsm50/urgent.htm
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml
http://www.cisco.com/
http://www.cisco.com/warp/public/687/Directory/
DirTAC.shtml
http://www.cisco.com/warp/public/63/
nbar_acl_codered.shtml
http://www.cisco.com/go/psirt/
http://www.cisco.com/warp/public/707/
sec_incident_response.shtml
______________________________________________________________________________
[ Update to L-120 on July 29, 2001 with addition tool information]
A tool has been released for the detection of the Code Red Worm.
You may download this tool from the following location:
http://www.eeye.com/html/Research/Tools/codered.html
[***** Start Cisco Security Advisory Revision 2.1 *****]
Cisco Security Advisory: "Code Red" Worm - Customer Impact
Revision 2.1
For Public Release 2001 July 20 12:00 UTC
Last Update 2001 August 8 20:00 UTC
Summary
A malicious self-replicating program known as the "Code Red" worm is targeted
at systems running the Microsoft Internet Information Server (IIS). Several
Cisco products are installed or provided on targeted systems. Additionally,
the behavior of the worm can cause problems for other network devices.
The following Cisco products are vulnerable because they run affected versions
of Microsoft IIS:
Cisco CallManager
Cisco Unity Server
Cisco uOne
Cisco ICS7750
Cisco Building Broadband Service Manager
IP/VC 3540 Application Server
Other Cisco products may also be adversely affected by the "Code Red" worm.
Please see the Affected Products section for further details.
The worm and its effects may be remedied by applying the Microsoft patch to
affected servers:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-033.asp.
This advisory is available at
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml.
Affected Products
The following Cisco products are directly vulnerable because they run affected
versions of Microsoft IIS:
Cisco CallManager
Cisco Unity Server
Cisco uOne
Cisco ICS7750
Cisco Building Broadband Service Manager
IP/VC 3540 Application Server
The following Cisco products may be vulnerable due to side-effects caused by
the "Code Red" worm. They are not directly vulnerable to the Microsoft IIS
exploit:
Cisco IP/VC 3510 H.323 Videoconference Multipoint Control Units
Cisco Aironet Wireless products
Cisco CSS 11000 series Content Service Switches
Cisco 600 series of DSL routers that have not been patched for a previously
published vulnerability.
Various Cisco Network Management products may be installed on Microsoft
platforms that may be running a vulnerable version of IIS. Much older
versions of CiscoWorks 2000 RWAN/CWSI Campus v2.x and Cisco Voice Manager
v1.x are directly vulnerable because IIS was required as a part of the
installation. Such systems might be offering HTTP services on default ports.
These specific software packages are no longer supported, but are included
in this notice to alert customers that might still be using them.
Details
At least two versions of the "Code Red" worm are known to exist.
Both versions exploit a known vulnerability in Microsoft IIS by passing a
specially crafted Uniform Resource Identifier (URI) to the default HTTP
service, port 80, on a susceptible system. The URI in version 1 consists of
binary instructions which cause the infected host to either begin scanning
other random IP addresses and pass the infection on to any other vulnerable
systems it finds, or launch a denial of service attack targeted at the IP
address 198.137.240.91 which, until very recently, was assigned to
www.whitehouse.gov. In both cases, the worm replaces the web server's default
web page with a defaced page at the time of initial infection. Version 2 has
the same behavior, except that it does not deface the default web page, and it
no longer contains a hard-coded address for www.whitehouse.gov, opting instead
to look up the address via DNS.
Version 1 does not produce a truly random list of addresses to attack, whereas
version 2 contains a fixed randomizer that will attempt all possible IP
addresses except those beginning with 127.x.x.x or 224.x.x.x. The worm does not
check for pre-existing infection, so that any given system may be executing as
many copies of the worm as have scanned it, with a compounding effect on system
and network demand.
Cisco products that are directly vulnerable because they use IIS can be
repaired by applying the recommended patches from Microsoft. Workarounds are
available as a temporary measure.
Side-effects caused by the worm can expose unrelated problems on other
products. When the traffic from the worm reaches a significant level, a Cisco
CSS 11000 series Content Service Switch may suffer a memory allocation error
that leads to memory corruption and will require a reboot. The defect is
documented in DDTS CSCdu76237. Traffic from the worm can trigger a defect in
the IP/VC 3510 Videoconference Multipoint Control Unit which is documented in
DDTS CSCdv01788. Traffic from the worm can trigger a defect in the Cisco
Aironet Wireless devices, which is documented in DDTS CSCdv01662.
As a separate side-effect, the URI used by the worm to infect other hosts
causes Cisco 600 series DSL routers to stop forwarding traffic. An affected
600 series router that has been scanned by the "Code Red" worm may not resume
normal service until the power has been cycled. A workaround exists for this
problem and is documented in the workarounds section of this document.
The nature of the "Code Red" worm's scan of random IP addresses and the
resulting sharp increase in network traffic can noticeably affect Cisco
routers running Cisco IOS software, depending on the device, its current
configuration, and the topology of the network. Unusually high CPU utilization
and memory starvation may occur, and it can be mitigated in many cases simply
by refining the configuration. Troubleshooting and configuration
recommendations are available at this location:
http://www.cisco.com/warp/public/63/ts_codred_worm.shtml
Impact
The "Code Red" worm is causing widespread denial of service on the Internet
and is compromising large numbers of vulnerable systems. It may resume attacks
on or about 2001 Aug 01 because of the number of unpatched vulnerable systems
that remain. Any product or platform running a vulnerable version of Microsoft
IIS may begin attempting to infect other systems with varying degrees of
success, and may cause a significant increase in traffic load.
Once infected, the management of a Cisco CallManager product is disabled or
severely limited until the defaced web page is removed and the original
management web page is restored.
Cisco CSS 11000 Content Service Switches, Cisco IP/VC 3510 H.323
Videoconference Multipoint Control Units, Cisco Aironet Wireless Bridge/Access
Point, and Cisco 600 series DSL routers are vulnerable to a repeatable denial o
f service until the software is upgraded, or workarounds are applied.
Software Versions and Fixes
Microsoft has made a patch available for affected systems at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
bulletin/MS01-033.asp.
Cisco is providing the same patch at
http://www.cisco.com/pcgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/
voice/callmgr/win-IIS-SecurityUpdate-2.exe&swtype=FCS&code=&
size=246296.
Documentation is available at http://www.cisco.com/pcgi-bin/Software/
Tablebuild/doftp.pl?ftpfile=cisco/voice/callmgr/
win-IIS-SecurityUpdate-Readme-2.htm&swtype=FCS&code=&size=4541.
The Cisco Building Broadband Service Manager is documented separately at
http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm50/urgent.htm.
The Cisco CSS 11000 Content Service Switch memory allocation error is fixed in
versions R3.10 B78s, R4.01 B41s, R4.10 B21s, R5.0 B8s, and R5.01 B5.
The Cisco 6xx series vulnerability has been previously documented at
http://www.cisco.com/warp/public/707/CBOS-multiple.shtml and is fixed in the
latest releases of software.
Obtaining Fixed Software
Cisco is providing software patches and upgrades to supported products to
remedy the vulnerability for all affected Cisco customers.
For most Cisco customers, upgrades are available through the Software Center
on Cisco's Worldwide Web site at http://www.cisco.com/.
Customers without contracts can obtain the patch directly from Microsoft or by
contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as
follows:
(800) 553 2447 (toll-free from within North America)
+1 408 526 7209 (toll call from anywhere in the world)
E-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional
TAC contact information, including instructions and e-mail addresses for use
in various languages.
Give the URL of this notice as evidence of your entitlement to a free upgrade.
Free upgrades for non-contract customers must be requested through the TAC or
directly from Microsoft. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.
Workarounds
We recommend following the instructions in the Microsoft security bulletin for
addressing the actual vulnerability in IIS.
Workaround for CSS11000 Series Products
The memory allocation problem on the CSS 11000 Content Service Switches can be
worked around by restricting XML access as shown:
configure
restrict xml
Workaround for Cisco 600 Series Products
To disable web management on port 80, set the web management port to some
number greater than 1024, and configure the web remote address for a
non-routeable address.
set web port number_greater-than_1024
set web remote 10.10.10.10
Workaround for Cisco Aironet Wireless Bridge or Access Point: Disable Web
Management
For the AP4800 series and Aironet Bridge devices, from the management console,
select option 1 (Configuration Menu), then select option 4 (console menu),
then check the setting of option 5 (Http). If setting is OFF, then web
management is disabled. If setting is ON, select option 5 (Http) to toggle
setting to OFF.
To avoid unnecessary handling of HTTP requests by Cisco routers running IOS,
disable the HTTP server by applying:
no ip http server
while in global configuration mode. If HTTP service is needed, consider
restricting access by applying an access list command.
*NEW INFORMATION* Additional Workarounds for Handling "CodeRed" Traffic
Utilize NBAR feature to identify and block "CodeRed" traffic; discussed in
detail at http://iponeverything.net/CodeRed.html
This workaround is applicable in Cisco IOS® Software version 12.1(5)T and
later for many platforms.
Classify inbound Code Red traffic with the class-based marking feature in IOS.
Router(config)#class-map match-any http-codered
Router(config-cmap)#match protocol http url "*default.ida*"
Router(config-cmap)#match protocol http url "*cmd.exe*"
Router(config-cmap)#match protocol http url "*root.exe*"
Mark inbound Code Red traffic with a policy map.
Once the inbound traffic has been classified as Code Red, it can be marked
with a specific DSCP. For this example, a decimal value of '1' is used as it
is unlikely that any other traffic would be marked with this DSCP.
Router(config)#policy-map mark-inbound-http-codered
Router(config-pmap)#class http-codered
Router(config-pmap)#set ip dscp 1
Apply the service policy to the 'outside' interface so inbound traffic will be
marked.
Router(config)#int e 0/1
Router(config-if)#service-policy input mark-inbound-http-codered
Block marked Code Red attempts with an ACL. The ACL will match on the DSCP
value of '1' that was marked as the Code Red attempt entered in the box.
Router(config)#access-list 105 deny ip any any dscp 1 log
Router(config)#access-list 105 permit ip any any
Apply it outbound on the 'inside' interface where the target web servers are.
Router(config)#int e 0/1
Router(config-if)#ip access-group 105 out
Further router configuration options for dropping specific Code Red related
traffic are located at the following URL:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
Workaround for Cisco Cache/Content Engine Products
Additionally, Cisco Content Engines or Cisco Cache Engines can be configured
to block "Code Red" associated traffic with a filter ruleset as described
below.
Cache Engine/Content Engine
rule enable
rule block url-regex .*\.ida.*
Exploitation and Public Announcements
This issue is being exploited actively and has been discussed in numerous
public announcements and messages. References include:
http://www.cert.org/advisories/CA-2001-19.html
http://www.eeye.com/html/Research/Advisories/AD20010618.html
The additional workarounds in this advisory utilizing the NBAR feature have
been provided through the work of Randall Benn.
Status of This Notice: FINAL
This is a final notice. Although Cisco cannot guarantee the accuracy of all
statements in this notice, all of the information has been checked to the best
of our ability. Should there be a significant change in the facts, Cisco may
update this notice.
Distribution
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml.
In addition to Worldwide Web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients:
cust-security-announce@cisco.com
bugtraq@securityfocus.com
firewalls@lists.gnac.com
first-teams@first.org (includes CERT/CC)
cisco@spot.colorado.edu
cisco-nsp@puck.nether.net
nanog@nanog.org
incidents@securityfocus.com
comp.dcom.sys.cisco
Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on the Cisco Security
Advisories page at http://www.cisco.com/go/psirt/, but may or may not be
actively announced on mailing lists or newsgroups. Users concerned about this
problem are encouraged to check the URL given above for any updates.
Revision History
+----------+-------------------+--------------------------------------------+
| Revision | 2001-Jul-20 12:00 | Initial public release |
| 1.0 | UTC | |
+----------+-------------------+--------------------------------------------+
| Revision | 2001-Jul-23 12:00 | Made Microsoft patch URL visible, and |
| 1.1 | UTC | changed relative links to fully qualified. |
+----------+-------------------+--------------------------------------------+
| Revision | 2001-Jul-31 20:00 | Updated to include CSS 11000 and old |
| 2.0 | UTC | network management platforms. |
+----------+-------------------+--------------------------------------------+
| Revision | 2001-Aug-08 20:00 | Updated Workaround section and Affected |
| 2.1 | UTC | Products |
+----------+-------------------+--------------------------------------------+
Cisco Product Security Incident Procedures
Complete information on reporting security vulnerabilities in Cisco products,
obtaining assistance with security incidents, and registering to receive
security information from Cisco, is available on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This
includes instructions for press inquiries regarding Cisco security notices.
This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including all
date and version information.
All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights
reserved.
[***** End Cisco Security Advisory Revision 2.1 *****]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7x24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
L-110: HP Open View Event Correlation Services Vulnerability
L-111: FreeBSD Signal Handling Flaw
L-112: Cisco SN 5420 Storage Router Vulnerabilities
L-113: Microsoft Outlook View Control Exposes Unsafe Functionality
L-114: Hewlett-Packard login Vulnerability
L-115: Hewlett-Packard dlkm Vulnerability
L-116: Lightweight Directory Access Protocol (LDAP) Vulnerabilities
L-117: The Code Red Worm
L-118: Hewlett-Packard ftpd and ftp Vulnerability
L-119: Hewlett-Packard mkacct Program Vulnerability
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
