__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Cisco "Code Red" Worm Impact [Cisco Security Advisory Revision 2.0] July 20, 2001 19:00 GMT Number L-120 [Revised August 2, 2001 - Cisco Revision 2.0] [Revised August 9, 2001 - Cisco Revision 2.1] ______________________________________________________________________________ PROBLEM: Cisco products may be installed or provided on systems that are being targeted by the "Code Red" worm. PLATFORM: These products are vulnerable because they run affected versions of Microsoft IIS: Cisco CallManager Cisco Unity Server Cisco uOne Cisco ICS7750 Cisco Building Broadband Service Manager IP/VC 3540 Applications Server These products may be vulnerable because of possible side- effects caused by the "Code Red" worm. They are not directly vulnerable to the Microsoft IIS exploit: Cisco CSS 11000 series Content Service Switches Cisco 600 series of DSL routers that have not been patched for a previously published vulernability. Various Cisco Network Management products. See bulletin below for details. DAMAGE: Any product or platform running a vulnerable version of Microsoft IIS may begin attempting to infect other systems with varying degrees of success, and may cause a significant increase in traffic load. Once infected, the management of a Cisco CallManager product is disabled or severely limited until the defaced web page is removed and the original management web page is restored. Cisco CSS 11000 Content Service Switches and unpatched Cisco 600 series DSL routers are vulnerable to a repeatable denial of service until the software is upgraded. SOLUTION: Apply Cisco fixes as outlined below. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The "Code Red" worm can cause a variety of ASSESSMENT: problems on Cisco products that may disable them. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/l-120.shtml PATCHES: Microsoft: http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/security/bulletin/ MS01-033.asp Cisco: http://www.cisco.com/warp/public/707/ cisco-code-red-worm-pub.shtml http://www.cisco.com/warp/public/63/ts_codred_worm.shtml http://www.cisco.com/pcgi-bin/Software/Tablebuild/ doftp.pl?ftpfile=cisco/voice/callmgr/ win-IIS-SecurityUpdate-2.exe&swtype=FCS& code=&size=246296 http://www.cisco.com/pcgi-bin/Software/Tablebuild/ doftp.pl?ftpfile=cisco/voice/callmgr/ win-IIS-SecurityUpdate-Readme-2.htm& swtype=FCS&code=&size=4541 http://www.cisco.com/univercd/cc/td/doc/product/aggr/ bbsm/bbsm50/urgent.htm http://www.cisco.com/warp/public/707/CBOS-multiple.shtml http://www.cisco.com/ http://www.cisco.com/warp/public/687/Directory/ DirTAC.shtml http://www.cisco.com/warp/public/63/ nbar_acl_codered.shtml http://www.cisco.com/go/psirt/ http://www.cisco.com/warp/public/707/ sec_incident_response.shtml ______________________________________________________________________________ [ Update to L-120 on July 29, 2001 with addition tool information] A tool has been released for the detection of the Code Red Worm. You may download this tool from the following location: http://www.eeye.com/html/Research/Tools/codered.html [***** Start Cisco Security Advisory Revision 2.1 *****] Cisco Security Advisory: "Code Red" Worm - Customer Impact Revision 2.1 For Public Release 2001 July 20 12:00 UTC Last Update 2001 August 8 20:00 UTC Summary A malicious self-replicating program known as the "Code Red" worm is targeted at systems running the Microsoft Internet Information Server (IIS). Several Cisco products are installed or provided on targeted systems. Additionally, the behavior of the worm can cause problems for other network devices. The following Cisco products are vulnerable because they run affected versions of Microsoft IIS: Cisco CallManager Cisco Unity Server Cisco uOne Cisco ICS7750 Cisco Building Broadband Service Manager IP/VC 3540 Application Server Other Cisco products may also be adversely affected by the "Code Red" worm. Please see the Affected Products section for further details. The worm and its effects may be remedied by applying the Microsoft patch to affected servers: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp. This advisory is available at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml. Affected Products The following Cisco products are directly vulnerable because they run affected versions of Microsoft IIS: Cisco CallManager Cisco Unity Server Cisco uOne Cisco ICS7750 Cisco Building Broadband Service Manager IP/VC 3540 Application Server The following Cisco products may be vulnerable due to side-effects caused by the "Code Red" worm. They are not directly vulnerable to the Microsoft IIS exploit: Cisco IP/VC 3510 H.323 Videoconference Multipoint Control Units Cisco Aironet Wireless products Cisco CSS 11000 series Content Service Switches Cisco 600 series of DSL routers that have not been patched for a previously published vulnerability. Various Cisco Network Management products may be installed on Microsoft platforms that may be running a vulnerable version of IIS. Much older versions of CiscoWorks 2000 RWAN/CWSI Campus v2.x and Cisco Voice Manager v1.x are directly vulnerable because IIS was required as a part of the installation. Such systems might be offering HTTP services on default ports. These specific software packages are no longer supported, but are included in this notice to alert customers that might still be using them. Details At least two versions of the "Code Red" worm are known to exist. Both versions exploit a known vulnerability in Microsoft IIS by passing a specially crafted Uniform Resource Identifier (URI) to the default HTTP service, port 80, on a susceptible system. The URI in version 1 consists of binary instructions which cause the infected host to either begin scanning other random IP addresses and pass the infection on to any other vulnerable systems it finds, or launch a denial of service attack targeted at the IP address 198.137.240.91 which, until very recently, was assigned to www.whitehouse.gov. In both cases, the worm replaces the web server's default web page with a defaced page at the time of initial infection. Version 2 has the same behavior, except that it does not deface the default web page, and it no longer contains a hard-coded address for www.whitehouse.gov, opting instead to look up the address via DNS. Version 1 does not produce a truly random list of addresses to attack, whereas version 2 contains a fixed randomizer that will attempt all possible IP addresses except those beginning with 127.x.x.x or 224.x.x.x. The worm does not check for pre-existing infection, so that any given system may be executing as many copies of the worm as have scanned it, with a compounding effect on system and network demand. Cisco products that are directly vulnerable because they use IIS can be repaired by applying the recommended patches from Microsoft. Workarounds are available as a temporary measure. Side-effects caused by the worm can expose unrelated problems on other products. When the traffic from the worm reaches a significant level, a Cisco CSS 11000 series Content Service Switch may suffer a memory allocation error that leads to memory corruption and will require a reboot. The defect is documented in DDTS CSCdu76237. Traffic from the worm can trigger a defect in the IP/VC 3510 Videoconference Multipoint Control Unit which is documented in DDTS CSCdv01788. Traffic from the worm can trigger a defect in the Cisco Aironet Wireless devices, which is documented in DDTS CSCdv01662. As a separate side-effect, the URI used by the worm to infect other hosts causes Cisco 600 series DSL routers to stop forwarding traffic. An affected 600 series router that has been scanned by the "Code Red" worm may not resume normal service until the power has been cycled. A workaround exists for this problem and is documented in the workarounds section of this document. The nature of the "Code Red" worm's scan of random IP addresses and the resulting sharp increase in network traffic can noticeably affect Cisco routers running Cisco IOS software, depending on the device, its current configuration, and the topology of the network. Unusually high CPU utilization and memory starvation may occur, and it can be mitigated in many cases simply by refining the configuration. Troubleshooting and configuration recommendations are available at this location: http://www.cisco.com/warp/public/63/ts_codred_worm.shtml Impact The "Code Red" worm is causing widespread denial of service on the Internet and is compromising large numbers of vulnerable systems. It may resume attacks on or about 2001 Aug 01 because of the number of unpatched vulnerable systems that remain. Any product or platform running a vulnerable version of Microsoft IIS may begin attempting to infect other systems with varying degrees of success, and may cause a significant increase in traffic load. Once infected, the management of a Cisco CallManager product is disabled or severely limited until the defaced web page is removed and the original management web page is restored. Cisco CSS 11000 Content Service Switches, Cisco IP/VC 3510 H.323 Videoconference Multipoint Control Units, Cisco Aironet Wireless Bridge/Access Point, and Cisco 600 series DSL routers are vulnerable to a repeatable denial o f service until the software is upgraded, or workarounds are applied. Software Versions and Fixes Microsoft has made a patch available for affected systems at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp. Cisco is providing the same patch at http://www.cisco.com/pcgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/ voice/callmgr/win-IIS-SecurityUpdate-2.exe&swtype=FCS&code=& size=246296. Documentation is available at http://www.cisco.com/pcgi-bin/Software/ Tablebuild/doftp.pl?ftpfile=cisco/voice/callmgr/ win-IIS-SecurityUpdate-Readme-2.htm&swtype=FCS&code=&size=4541. The Cisco Building Broadband Service Manager is documented separately at http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm50/urgent.htm. The Cisco CSS 11000 Content Service Switch memory allocation error is fixed in versions R3.10 B78s, R4.01 B41s, R4.10 B21s, R5.0 B8s, and R5.01 B5. The Cisco 6xx series vulnerability has been previously documented at http://www.cisco.com/warp/public/707/CBOS-multiple.shtml and is fixed in the latest releases of software. Obtaining Fixed Software Cisco is providing software patches and upgrades to supported products to remedy the vulnerability for all affected Cisco customers. For most Cisco customers, upgrades are available through the Software Center on Cisco's Worldwide Web site at http://www.cisco.com/. Customers without contracts can obtain the patch directly from Microsoft or by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows: (800) 553 2447 (toll-free from within North America) +1 408 526 7209 (toll call from anywhere in the world) E-mail: tac@cisco.com See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including instructions and e-mail addresses for use in various languages. Give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC or directly from Microsoft. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software upgrades. Workarounds We recommend following the instructions in the Microsoft security bulletin for addressing the actual vulnerability in IIS. Workaround for CSS11000 Series Products The memory allocation problem on the CSS 11000 Content Service Switches can be worked around by restricting XML access as shown: configure restrict xml Workaround for Cisco 600 Series Products To disable web management on port 80, set the web management port to some number greater than 1024, and configure the web remote address for a non-routeable address. set web port number_greater-than_1024 set web remote 10.10.10.10 Workaround for Cisco Aironet Wireless Bridge or Access Point: Disable Web Management For the AP4800 series and Aironet Bridge devices, from the management console, select option 1 (Configuration Menu), then select option 4 (console menu), then check the setting of option 5 (Http). If setting is OFF, then web management is disabled. If setting is ON, select option 5 (Http) to toggle setting to OFF. To avoid unnecessary handling of HTTP requests by Cisco routers running IOS, disable the HTTP server by applying: no ip http server while in global configuration mode. If HTTP service is needed, consider restricting access by applying an access list command. *NEW INFORMATION* Additional Workarounds for Handling "CodeRed" Traffic Utilize NBAR feature to identify and block "CodeRed" traffic; discussed in detail at http://iponeverything.net/CodeRed.html This workaround is applicable in Cisco IOS® Software version 12.1(5)T and later for many platforms. Classify inbound Code Red traffic with the class-based marking feature in IOS. Router(config)#class-map match-any http-codered Router(config-cmap)#match protocol http url "*default.ida*" Router(config-cmap)#match protocol http url "*cmd.exe*" Router(config-cmap)#match protocol http url "*root.exe*" Mark inbound Code Red traffic with a policy map. Once the inbound traffic has been classified as Code Red, it can be marked with a specific DSCP. For this example, a decimal value of '1' is used as it is unlikely that any other traffic would be marked with this DSCP. Router(config)#policy-map mark-inbound-http-codered Router(config-pmap)#class http-codered Router(config-pmap)#set ip dscp 1 Apply the service policy to the 'outside' interface so inbound traffic will be marked. Router(config)#int e 0/1 Router(config-if)#service-policy input mark-inbound-http-codered Block marked Code Red attempts with an ACL. The ACL will match on the DSCP value of '1' that was marked as the Code Red attempt entered in the box. Router(config)#access-list 105 deny ip any any dscp 1 log Router(config)#access-list 105 permit ip any any Apply it outbound on the 'inside' interface where the target web servers are. Router(config)#int e 0/1 Router(config-if)#ip access-group 105 out Further router configuration options for dropping specific Code Red related traffic are located at the following URL: http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml Workaround for Cisco Cache/Content Engine Products Additionally, Cisco Content Engines or Cisco Cache Engines can be configured to block "Code Red" associated traffic with a filter ruleset as described below. Cache Engine/Content Engine rule enable rule block url-regex .*\.ida.* Exploitation and Public Announcements This issue is being exploited actively and has been discussed in numerous public announcements and messages. References include: http://www.cert.org/advisories/CA-2001-19.html http://www.eeye.com/html/Research/Advisories/AD20010618.html The additional workarounds in this advisory utilizing the NBAR feature have been provided through the work of Randall Benn. Status of This Notice: FINAL This is a final notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the information has been checked to the best of our ability. Should there be a significant change in the facts, Cisco may update this notice. Distribution This notice will be posted on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml. In addition to Worldwide Web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients: cust-security-announce@cisco.com bugtraq@securityfocus.com firewalls@lists.gnac.com first-teams@first.org (includes CERT/CC) cisco@spot.colorado.edu cisco-nsp@puck.nether.net nanog@nanog.org incidents@securityfocus.com comp.dcom.sys.cisco Various internal Cisco mailing lists Future updates of this notice, if any, will be placed on the Cisco Security Advisories page at http://www.cisco.com/go/psirt/, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the URL given above for any updates. Revision History +----------+-------------------+--------------------------------------------+ | Revision | 2001-Jul-20 12:00 | Initial public release | | 1.0 | UTC | | +----------+-------------------+--------------------------------------------+ | Revision | 2001-Jul-23 12:00 | Made Microsoft patch URL visible, and | | 1.1 | UTC | changed relative links to fully qualified. | +----------+-------------------+--------------------------------------------+ | Revision | 2001-Jul-31 20:00 | Updated to include CSS 11000 and old | | 2.0 | UTC | network management platforms. | +----------+-------------------+--------------------------------------------+ | Revision | 2001-Aug-08 20:00 | Updated Workaround section and Affected | | 2.1 | UTC | Products | +----------+-------------------+--------------------------------------------+ Cisco Product Security Incident Procedures Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's Worldwide Web site at http://www.cisco.com/warp/public/707/sec_incident_response.shtml. This includes instructions for press inquiries regarding Cisco security notices. This notice is Copyright 2001 by Cisco Systems, Inc. This notice may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified, including all date and version information. All contents are Copyright © 1992--2001 Cisco Systems Inc. All rights reserved. [***** End Cisco Security Advisory Revision 2.1 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-110: HP Open View Event Correlation Services Vulnerability L-111: FreeBSD Signal Handling Flaw L-112: Cisco SN 5420 Storage Router Vulnerabilities L-113: Microsoft Outlook View Control Exposes Unsafe Functionality L-114: Hewlett-Packard login Vulnerability L-115: Hewlett-Packard dlkm Vulnerability L-116: Lightweight Directory Access Protocol (LDAP) Vulnerabilities L-117: The Code Red Worm L-118: Hewlett-Packard ftpd and ftp Vulnerability L-119: Hewlett-Packard mkacct Program Vulnerability