I received this email from one of the SE's in Cisco's Calgary office. Code Red may impact certain Cisco products. Both Cisco and Microsoft are advertising a fix (details are included below). -----Original Message----- Most of you have probably seen the Code Red worm affecting Microsoft IIS. As some Cisco software uses Microsoft IIS for the underlying Operating System, please read the field alert to see if you are running the following Cisco products listed below. Please contact your local Cisco SE for help. http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml Cisco Security Advisory: "Code Red" Worm - Customer Impact Revision 1.0 For Public Release 2001 July 20 12:00 Summary A malicious self-replicating program known as the "Code Red" worm is targeted at systems running the Microsoft Internet Information Server (IIS). Several Cisco products are installed or provided on targeted systems. Additionally, the behavior of the worm can cause problems for other network devices. The following Cisco products are vulnerable because they run affected versions of Microsoft IIS: Cisco CallManager Cisco Unity Server Cisco uOne Cisco ICS7750 Other Cisco products may also be adversely affected by the "Code Red" worm. Please see the Affected Products section for further details. The worm and its effects may be remedied by applying the Microsoft patch to affected servers: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/ bulletin/MS01-033.asp. This advisory is available at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml. Affected Products The following Cisco products are directly vulnerable because they run affected versions of Microsoft IIS: Cisco CallManager Cisco Unity Server Cisco uOne Cisco ICS7750 Cisco Building Broadband Service Manager Other Cisco products may be indirectly affected by the IIS vulnerability (this is not an exhaustive list): Cisco 600 series of DSL routers that have not been patched per the Cisco Security Advisory, http://www.cisco.com/warp/public/707/CBOS-multiple.shtml, will stop forwarding traffic when scanned by a system infected by the "Code Red" worm. The power must be cycled to restore normal service. Cisco Network Management products are not directly affected, but they might be installed on a Microsoft platform running a vulnerable version of IIS. Details The "Code Red" worm exploits a known vulnerability in Microsoft IIS by passing a specially crafted Uniform Resource Identifier (URI) to the default HTTP service, port 80, on a susceptible system. The URI consists of binary instructions which cause the infected host to either begin scanning other random IP addresses and pass the infection on to any other vulnerable systems it finds, or launch a denial of service attack targeted at the IP address 198.137.240.91 which, until very recently, was assigned to www.whitehouse.gov. In both cases, the worm replaces the web server's default web page with a defaced page at the time of initial infection. The worm does not check for pre-existing infection, so that any given system may be executing as many copies of the worm as have scanned it, with a compounding effect on system and network demand. As a side-effect, the URI used by the worm to infect other hosts causes Cisco 600 series DSL routers to stop forwarding traffic by triggering a previously-published vulnerability. Any 600 series routers scanned by the "Code Red" worm will not resume normal service until the power to the router has been cycled. The nature of the "Code Red" worm's scan of random IP addresses and the resulting sharp increase in network traffic can noticeably affect Cisco Content Service Switches and Cisco routers running Cisco IOS software, depending on the device and its configuration. Unusually high CPU utilization and memory starvation may occur. Impact The "Code Red" worm is causing widespread denial of service on the Internet and is compromising large numbers of vulnerable systems. Once infected, the management of a Cisco CallManager product is disabled or severely limited until the defaced web page is removed and the original management web page is restored. Software Versions and Fixes Microsoft has made a patch available for affected systems at . Cisco is providing the same patch at http://www.cisco.com/pcgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/voi ce/callmgr/win-IIS-SecurityUpdate-2.exe&swtype=FCS&code=&size=246296. Documentation is available at http://www.cisco.com/pcgi-bin/Software/Tablebuild/doftp.pl?ftpfile=cisco/voi ce/callmgr/win-IIS-SecurityUpdate-Readme-2.htm&swtype=FCS&code=&size=4541. The Cisco Building Broadband Service Manager is documented separately at http://www.cisco.com/univercd/cc/td/doc/product/aggr/bbsm/bbsm50/urgent.htm FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
