CodeRed Could Halt Network Equipment Operation
10 Aug 2001
A breach in the Cisco equipment system security is detected, with IBM and Xerox also under suspicion
The world's largest telecommunications equipment producer, Cisco, has released the following information stating that the CodeRed Internet worm could cause a disturbance in the operation in several of the company's products. In part, the Cisco DSL routers (600 series), Cisco CSS switches (11000 series) and other equipment and software could be exposed to attack.
Also included in the list of products that could be attacked by CodeRed are the Cisco CallManager, Cisco Unity Server, Cisco uOne and other software using Microsoft Internet Information Server (IIS). In these cases, users are recommended to install the corresponding Microsoft patch and use the workaround measures for protection that Cisco offers.
The situation in regards to Cisco routers and switches poses an even more series threat: CodeRed could cause a serious halt in operation of the aforementioned products, making it necessary for a systems administrator in intervene; for example, an HTTP request sent by the worm via the Internet for penetrating other computers could cause Cisco DSL to stop forwarding traffic. In order to re-establish regular operation, it is necessary to reboot the system.
Generally, any equipment and software that "understands" 80-port HTTP requests could be exposed to a CodeRed attack resulting in unwanted after-effects. However, an actual infection by the worm is possible only on systems using IIS (with the service index switched on) and Windows 2000. In all other cases, the worm's side effects could lead to a disruption in operation. In addition, similar disruptions could be started only in the case of an incorrectly processed incoming HTTP request like the one with Cisco.
According to the information available from the electronic conference BugTraq that was created specifically for discussing information security problems, a similar processing halt in operation could also be found on Xerox equipment (on the network printer Xerox DocuPrint N40) and IBM switches (8275 series). IBM and Xerox representatives have not yet confirmed this information.