Fwd: Cisco Security Advisory: "Code Red" Worm Customer Impact
Alfredo E. Cotroneo
alfredo a NEXUS.ORG
Ven 20 Lug 2001 22:05:09 CEST
Attenzione anche alcuni prodotti Cisco usano IIS ;-))) e sono vulnerabili
al "Code Red Worm" (vedi sotto).
Ora forse si spiegano i rallentamenti e le perdite di pacchetti su
Interbusiness, altro che G8!
A proposito ... c'e' una versione del "verme" n. 2 in giro, patchate i vs
>-----BEGIN PGP SIGNED MESSAGE-----
> Cisco Security Advisory: "Code Red" Worm Customer Impact
>Revision 1.0 For public release 2001 July 20 12:00 UTC
> A malicious self replicating program known as the "Code Red" worm is
> targeted at systems running the Microsoft Internet Information Server
> (IIS). Several Cisco products are installed or provided on targeted
> systems. Additionally, the behavior of the worm can cause problems for
> other network devices.
> The following Cisco products are vulnerable because they run affected
> versions of Microsoft IIS:
> * Cisco CallManager
> * Cisco Unity Server
> * Cisco uOne
> * Cisco ICS7750
> Other Cisco products may also be adversely affected by the "Code Red"
> worm. Please see the Affected Products section for further details.
> The worm and its effects may be remedied by applying the Microsoft
> patch to affected servers,
> This advisory is available at
> http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml .
> The following Cisco products are directly vulnerable because they run
> affected versions of Microsoft IIS:
> * Cisco CallManager
> * Cisco Unity Server
> * Cisco uOne
> * Cisco ICS7750
> * Cisco Building Broadband Service Manager
> Other Cisco products may be indirectly affected by the IIS
> vulnerability (this is not an exhaustive list):
> * Cisco 600 series of DSL routers that have not been patched per the
> Cisco Security Advisory,
> http://www.cisco.com/warp/public/707/CBOS-multiple.shtml , will
> stop forwarding traffic when scanned by a system infected by the
> "Code Red" worm. The power must be cycled to restore normal
> * Cisco Network Management products are not directly affected but
> might be installed on a Microsoft platform running a vulnerable
> version of IIS.
> The "Code Red" worm exploits a known vulnerability in Microsoft IIS by
> passing a specially crafted URI to the default HTTP service, port 80,
> on a susceptible system. The URI consists of binary instructions which
> cause the infected host to either begin scanning other random IP
> addresses and pass the infection on to any other vulnerable systems it
> finds, or launch a denial of service attack targeted at the IP address
> 126.96.36.199 which until very recently was assigned to
> www.whitehouse.gov. In both cases the worm replaces the web server's
> default web page with a defaced page at the time of initial infection.
> The worm does not check for pre-existing infection, so that any given
> system may be executing as many copies of the worm as have scanned it,
> with a compounding effect on system and network demand.
> As a side-effect, the URI used by the worm to infect other hosts
> causes Cisco 600 series DSL routers to stop forwarding traffic by
> triggering a previously-published vulnerability. Any 600 series
> routers scanned by the "Code Red" worm will not resume normal service
> until the power to the router has been cycled.
> The nature of the "Code Red" worm's scan of random IP addresses and
> the resulting sharp increase in network traffic can noticeably affect
> Cisco Content Service Switches and Cisco routers running IOS,
> depending on the device and its configuration. Unusually high CPU
> utilization and memory starvation may occur.
> The "Code Red" worm is causing widespread denial of service on the
> Internet and is compromising large numbers of vulnerable systems. Once
> infected, the management of a Cisco CallManager product is disabled or
> severely limited until the defaced web page is removed and the
> original management web page is restored.
>Software Versions and Fixes
> Microsoft has made a patch available for affected systems at
> security/bulletin/MS01-033.asp .
> Cisco is providing the same patch at
> with documentation at
> Cisco Building Broadband Service Manager is documented separately at
> gent.htm .
>Obtaining Fixed Software
> Cisco is making available software patches and upgrades to remedy this
> vulnerability for all affected Cisco customers.
> For most Cisco customers, upgrades are available through the Software
> Center on Cisco's Worldwide Web site at http://www.cisco.com/.
> Customers without contracts can obtain the patch directly from
> Microsoft or by contacting the Cisco Technical Assistance Center
> (TAC). TAC contacts are as follows:
> * (800) 553 2447 (toll-free from within North America)
> * +1 408 526 7209 (toll call from anywhere in the world)
> * E-mail: tac a cisco.com
> See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
> for additional TAC contact information, including instructions and
> e-mail addresses for use in various languages.
> Give the URL of this notice as evidence of your entitlement to a
> free upgrade. Free upgrades for non-contract customers must be
> requested through the TAC or directly from Microsoft. Please do not
> contact either "psirt a cisco.com" or "security-alert a cisco.com" for
> software upgrades.
> We recommend following the instructions in the Microsoft security
> bulletin for addressing the actual vulnerability.
>Exploitation and Public Announcements
> This issue is being exploited actively and has been discussed in
> numerous public announcements and messages. References include:
> * http://www.cert.org/advisories/CA-2001-19.html
> * http://www.eeye.com/html/Research/Advisories/AD20010618.html
>Status of This Notice: FINAL
> This is a final notice. Although Cisco cannot guarantee the accuracy
> of all statements in this notice, all of the information has been
> checked to the best of our ability. Should there be a significant
> change in the facts, Cisco may update this notice.
> This notice will be posted on Cisco's Worldwide Web site at
> In addition to Worldwide Web posting, a text version of this notice
> is clear-signed with the Cisco PSIRT PGP key and is posted to the
> following e-mail and Usenet news recipients:
> * cust-security-announce a cisco.com
> * bugtraq a securityfocus.com
> * firewalls a lists.gnac.com
> * first-teams a first.org (includes CERT/CC)
> * cisco a spot.colorado.edu
> * cisco-nsp a puck.nether.net
> * nanog a nanog.org
> * incidents a securityfocus.com
> * comp.dcom.sys.cisco
> * Various internal Cisco mailing lists
> Future updates of this notice, if any, will be placed on the Cisco
> Security Advisories page at http://www.cisco.com/go/psirt/, but
> may or may not be actively announced on mailing lists or newsgroups.
> Users concerned about this problem are encouraged to check the URL
> given above for any updates.
> Revision 1.0 2001-Jul-20 Initial public release
>Cisco Product Security Incident Procedures
> Complete information on reporting security vulnerabilities in Cisco
> products, obtaining assistance with security incidents, and
> registering to receive security information from Cisco, is available
> on Cisco's Worldwide Web site at
> http://www.cisco.com/warp/public/707/sec_incident_response.shtml .
> This includes instructions for press inquiries regarding Cisco
> security notices.
> This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
> be redistributed freely after the release date given at the top of the
> text, provided that redistributed copies are complete and unmodified,
> including all date and version information.
>-----BEGIN PGP SIGNATURE-----
>-----END PGP SIGNATURE-----
Alfredo E. Cotroneo, CEO, NEXUS-Int'l Broadcasting Association
PO Box 11028, 20110, Milano, Italy email: alfredo a nexus.org
ph: +39-335-214-614 (try first)/+39-02-266-6971 fax: +39-02-706-38151
Maggiori informazioni sulla lista