Fwd: Cisco Security Advisory: "Code Red" Worm Customer Impact

Alfredo E. Cotroneo alfredo a NEXUS.ORG
Ven 20 Lug 2001 22:05:09 CEST 

Attenzione anche alcuni prodotti Cisco usano IIS ;-))) e sono vulnerabili
al "Code Red Worm" (vedi sotto).

Ora forse si spiegano i rallentamenti e le perdite di pacchetti su
Interbusiness, altro che G8!

A proposito ... c'e' una versione del "verme" n. 2 in giro, patchate i vs
sistemi!

Saluti.

Alfredo

>-----BEGIN PGP SIGNED MESSAGE-----
>
>
>            Cisco Security Advisory: "Code Red" Worm Customer Impact
>
>Revision 1.0 For public release 2001 July 20 12:00 UTC
>      _________________________________________________________________
>
>Summary
>
>    A malicious self replicating program known as the "Code Red" worm is
>    targeted at systems running the Microsoft Internet Information Server
>    (IIS). Several Cisco products are installed or provided on targeted
>    systems. Additionally, the behavior of the worm can cause problems for
>    other network devices.
>
>    The following Cisco products are vulnerable because they run affected
>    versions of Microsoft IIS:
>
>      * Cisco CallManager
>      * Cisco Unity Server
>      * Cisco uOne
>      * Cisco ICS7750
>
>    Other Cisco products may also be adversely affected by the "Code Red"
>    worm. Please see the Affected Products section for further details.
>
>    The worm and its effects may be remedied by applying the Microsoft
>    patch to affected servers,
>    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
>    security/bulletin/MS01-033.asp.
>
>    This advisory is available at
>    http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml .
>
>Affected Products
>
>    The following Cisco products are directly vulnerable because they run
>    affected versions of Microsoft IIS:
>
>      * Cisco CallManager
>      * Cisco Unity Server
>      * Cisco uOne
>      * Cisco ICS7750
>      * Cisco Building Broadband Service Manager
>
>    Other Cisco products may be indirectly affected by the IIS
>    vulnerability (this is not an exhaustive list):
>
>      * Cisco 600 series of DSL routers that have not been patched per the
>        Cisco Security Advisory,
>        http://www.cisco.com/warp/public/707/CBOS-multiple.shtml , will
>        stop forwarding traffic when scanned by a system infected by the
>        "Code Red" worm. The power must be cycled to restore normal
>        service.
>      * Cisco Network Management products are not directly affected but
>        might be installed on a Microsoft platform running a vulnerable
>        version of IIS.
>
>Details
>
>    The "Code Red" worm exploits a known vulnerability in Microsoft IIS by
>    passing a specially crafted URI to the default HTTP service, port 80,
>    on a susceptible system. The URI consists of binary instructions which
>    cause the infected host to either begin scanning other random IP
>    addresses and pass the infection on to any other vulnerable systems it
>    finds, or launch a denial of service attack targeted at the IP address
>    198.137.240.91 which until very recently was assigned to
>    www.whitehouse.gov. In both cases the worm replaces the web server's
>    default web page with a defaced page at the time of initial infection.
>
>    The worm does not check for pre-existing infection, so that any given
>    system may be executing as many copies of the worm as have scanned it,
>    with a compounding effect on system and network demand.
>
>    As a side-effect, the URI used by the worm to infect other hosts
>    causes Cisco 600 series DSL routers to stop forwarding traffic by
>    triggering a previously-published vulnerability. Any 600 series
>    routers scanned by the "Code Red" worm will not resume normal service
>    until the power to the router has been cycled.
>
>    The nature of the "Code Red" worm's scan of random IP addresses and
>    the resulting sharp increase in network traffic can noticeably affect
>    Cisco Content Service Switches and Cisco routers running IOS,
>    depending on the device and its configuration. Unusually high CPU
>    utilization and memory starvation may occur.
>
>Impact
>
>    The "Code Red" worm is causing widespread denial of service on the
>    Internet and is compromising large numbers of vulnerable systems. Once
>    infected, the management of a Cisco CallManager product is disabled or
>    severely limited until the defaced web page is removed and the
>    original management web page is restored.
>
>Software Versions and Fixes
>
>    Microsoft has made a patch available for affected systems at
>    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/
>    security/bulletin/MS01-033.asp .
>
>    Cisco is providing the same patch at
>    http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=c
>    isco/voice/callmgr/win-IIS-SecurityUpdate-2.exe&swtype=FCS&code=&size=
>    246296
>    with documentation at
>    http://www.cisco.com/cgi-bin/Software/Tablebuild/doftp.pl?ftpfile=c
>    isco/voice/callmgr/win-IIS-SecurityUpdate-Readme-2.htm&swtype=FCS&code
>    =&size=4541
>
>    Cisco Building Broadband Service Manager is documented separately at
>    http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm50/ur
>    gent.htm .
>
>Obtaining Fixed Software
>
>    Cisco is making available software patches and upgrades to remedy this
>    vulnerability for all affected Cisco customers.
>
>    For most Cisco customers, upgrades are available through the Software
>    Center on Cisco's Worldwide Web site at http://www.cisco.com/.
>
>    Customers without contracts can obtain the patch directly from
>    Microsoft or by contacting the Cisco Technical Assistance Center
>    (TAC). TAC contacts are as follows:
>
>      * (800) 553 2447 (toll-free from within North America)
>      * +1 408 526 7209 (toll call from anywhere in the world)
>      * E-mail: tac a cisco.com
>
>    See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
>    for additional TAC contact information, including instructions and
>    e-mail addresses for use in various languages.
>
>    Give the URL of this notice as evidence of your entitlement to a
>    free upgrade. Free upgrades for non-contract customers must be
>    requested through the TAC or directly from Microsoft. Please do not
>    contact either "psirt a cisco.com" or "security-alert a cisco.com" for
>    software upgrades.
>
>Workarounds
>
>    We recommend following the instructions in the Microsoft security
>    bulletin for addressing the actual vulnerability.
>
>Exploitation and Public Announcements
>
>    This issue is being exploited actively and has been discussed in
>    numerous public announcements and messages. References include:
>
>      * http://www.cert.org/advisories/CA-2001-19.html
>      * http://www.eeye.com/html/Research/Advisories/AD20010618.html
>
>Status of This Notice: FINAL
>
>    This is a final notice. Although Cisco cannot guarantee the accuracy
>    of all statements in this notice, all of the information has been
>    checked to the best of our ability. Should there be a significant
>    change in the facts, Cisco may update this notice.
>
>Distribution
>
>    This notice will be posted on Cisco's Worldwide Web site at
>    http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml
>    In addition to Worldwide Web posting, a text version of this notice
>    is clear-signed with the Cisco PSIRT PGP key and is posted to the
>    following e-mail and Usenet news recipients:
>
>      * cust-security-announce a cisco.com
>      * bugtraq a securityfocus.com
>      * firewalls a lists.gnac.com
>      * first-teams a first.org (includes CERT/CC)
>      * cisco a spot.colorado.edu
>      * cisco-nsp a puck.nether.net
>      * nanog a nanog.org
>      * incidents a securityfocus.com
>      * comp.dcom.sys.cisco
>      * Various internal Cisco mailing lists
>
>    Future updates of this notice, if any, will be placed on the Cisco
>    Security Advisories page at http://www.cisco.com/go/psirt/, but
>    may or may not be actively announced on mailing lists or newsgroups.
>    Users concerned about this problem are encouraged to check the URL
>    given above for any updates.
>
>Revision History
>
>    Revision 1.0 2001-Jul-20 Initial public release
>
>Cisco Product Security Incident Procedures
>
>    Complete information on reporting security vulnerabilities in Cisco
>    products, obtaining assistance with security incidents, and
>    registering to receive security information from Cisco, is available
>    on Cisco's Worldwide Web site at
>    http://www.cisco.com/warp/public/707/sec_incident_response.shtml .
>    This includes instructions for press inquiries regarding Cisco
>    security notices.
>      _________________________________________________________________
>
>    This notice is Copyright 2001 by Cisco Systems, Inc. This notice may
>    be redistributed freely after the release date given at the top of the
>    text, provided that redistributed copies are complete and unmodified,
>    including all date and version information.
>      _________________________________________________________________
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQEVAwUBO1f3m2iN3BRdFxkbAQHFrQf9FkJJdW0EsGmOqKCjO+KACbE+G++pnY+X
>AOQRWvyV+XZwLo4VWAcS47A6p2e/hOEcqOBSgYYX8L+dbsF/8geHURhCTQB628kQ
>uvtc+A2q9rxIjLqrZcjda7rwZB9ISqXxRZbuTOomtKGx2n2CQ/4K67/j2QFYs+1P
>Mf02XKv4IUF1N6adKh23aJ0DILoFmge4b26V7NtHEDJ70fJyqSzk1z+soHlyeZ+z
>wGwUCMGfSlQr5uXhD5bJF8b5unYNiANy6lGS0uotjapNZN8JmbQeEjCX1Bf7bAlm
>0l+LgwM7Q4Y0n7poXOw7Pw52r3bcL2XuxTY4BJSl97Fbt3daUxPiVw==
>=7r1T
>-----END PGP SIGNATURE-----

--
Alfredo E. Cotroneo, CEO,  NEXUS-Int'l Broadcasting Association
PO Box 11028, 20110, Milano, Italy           email: alfredo a nexus.org
ph: +39-335-214-614 (try first)/+39-02-266-6971 fax: +39-02-706-38151

Maggiori informazioni sulla lista ita-pe