Apologies if you have seen this multiple times. It is a little more complete than previous posted items. - R Cisco Technical Assistance Center News Flash - August 16, 2001 http://www.cisco.com/tac -------------------------------------------- "Code Red" Worm Update ____________________________________________ Dear Cisco Customer, For the most up-to-date information on the "Code Red" worm, visit the Cisco TAC Web Site "'Code Red' Technical Tips" page. Be sure to check this page for new and updated documents. The "'Code Red' Technical Tips" page can be reached at: http://www.cisco.com/tac/newsflash/codered_tt_08162001.html ISSUES REGARDING THE "CODE RED" WORM There are three main issues to deal with regarding the "Code Red" worm: 1. The worm infects and replicates through a vulnerability in the Microsoft Internet Information Server (IIS). This creates an infection exposure for Cisco products that embed or run on IIS. This exposure can be dealt with by applying Microsoft patches to the IIS servers. These patches are available at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/... 2. The earlier versions of the worm launched Denial of Service (DoS) attacks from the infected servers targeted at the White House Web Site. These DoS attacks can create high volumes of Internet-bound traffic. 3. The most recent variant of the worm creates high volumes of traffic on local networks, which may disrupt general network performance. The majority of the calls the Cisco TAC is receiving from customers are not due to Cisco products being infected by the worm; rather, many customers are experiencing the indirect impact that is caused by the messaging storms that occur because infected IIS servers are generating large amounts of network traffic while attempting to infect other IIS servers. This network traffic may cause networking equipment to become overloaded, which results in slow response, reloads, and other types of network equipment failures. Workarounds for the affected equipment, where applicable, are available at the "Cisco Security Advisory: 'Code Red' Worm" page, which can be found at: http://www.cisco.com/tac/newsflash/codered_secadvisory_08162001.html UNDERSTANDING THE "CODE RED" WORM A malicious self-replicating program known as the "Code Red" worm is targeted at systems running the Microsoft IIS. Several Cisco products are installed or provided on targeted systems. Additionally, the behavior of the worm can cause problems for other network devices. The following Cisco products are vulnerable to infection because they run affected versions of Microsoft IIS: * Cisco CallManager * Cisco Unity Server * Cisco uOne * Cisco ICS 7750 * Cisco Building Broadband Service Manager * Cisco IP/VC 3540 Application Server Other Cisco products may also be adversely affected by the "Code Red" worm. Please read "Cisco Security Advisory: 'Code Red' Worm" for further details. This advisory can be accessed at: http://www.cisco.com/tac/newsflash/codered_secadvisory_08162001.html All updates and workarounds are available under the "Featured Links" section of the Cisco TAC Web Home Page, which can be reached at: http://www.cisco.com/tac/newsflash/featured_links_08162001.html To access the documents directly, go to the "'Code Red' Technical Tips" page. This page can be reached at: http://www.cisco.com/tac/newsflash/codered_tt_08162001.html You can prevent the infection of servers and stop the spread of the worm by applying a Microsoft patch to vulnerable servers. This patch is available at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/... Once infected, a system may require additional repair due to the damage caused by the worm. This is also documented on the Microsoft Web Site at: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutio... ADDITIONAL RESOURCES The Cisco TAC Web Site "'Code Red' Technical Tips" page includes new and updated documents with details about how the worm virus impacts Cisco networks, and what you can do to protect your network. These additional resources include: * "Cisco Security Advisory: 'Code Red' Worm - Customer Impact" * "The Network-Based Application Recognition and Access Control Lists for Blocking the 'Code Red' Worm at Network Ingress Points" * "Dealing with 'mallocfail' and High CPU Utilization Resulting From the 'Code Red' Worm" * "How to Filter 'Code Red' on Cisco Cache and Content Engines" CISCO PRODUCT SECURITY INCIDENT PROCEDURES Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, registering to receive security information from Cisco, and handling press inquiries regarding Cisco security notices is available at: http://www.cisco.com/tac/newsflash/prod_security_08162001.html Sincerely, Cisco TAC -- \_ Roger De Salis rdesalis(a)cisco.com