Affected:
IIS 4.0 on Microsoft Windows NT 4.0
IIS 5.0 on Windows 2000 Servers
IIS 6.0 beta on Windows XP beta
Third party products utilizing Microsoft's IIS web servers for web-based functionality
Cisco 600 series DSL routers that have not been patched can suffer a Denial of Service as a side effect of the Code Red Worm.
Systems listening on HTTP port 80 may be affected to varying degrees by the numerous port 80 requests sent by the CodeRed worm.
Overview:
Analysis of the CodeRed worm indicates it will reoccur beginning August 1, 2001; infecting new unpatched and re-infecting previously infected but still unpatched Microsoft IIS web servers.
Details:
Symantec Corporation strongly advises its customers to be aware of the Code Red Worm predicted to reoccur beginning 1 August 2001, see CERT Advisory CA-2001-23. The CodeRed worm is malicious code sent as an HTTP request (CodeRed Write-Up). The worm's HTTP request exploits a known buffer-overflow vulnerability in Microsoft's IIS web servers (Symantec Enterprise Security Solutions protect against the Microsoft Windows IIS Index Server ISAPI System-level Remote Access Buffer Overflow.). This exploit was publicly acknowledged and a patch protecting against the exploit has been available since 18 June, 2001, (Microsoft Security Bulletin MS01-033).
NOTE: While there has been considerable discussion surrounding this exploit as to whether index server for Win4.0 or indexing services for Win2K must be enabled for the exploit to be effective, Neither index server 2.0 (NT 4.0) nor indexing services (Win2K) need to be activated to exploit this vulnerability. By default, whenever IIS is installed, the offending dll is installed (MS bulletin FAQ).
Risk Impact:
High for unpatched systems
Security Solution:
Symantec STRONGLY recommends downloading and installing the recommended patches for maximum protection against the exploit of the underlying IIS vulnerability by the Code Red worm. Microsoft has developed hotfixes for the vulnerability exploited by the CodeRed worm for both IIS 4.0 and IIS 5.0.
The hotfix for MS WinNT4.0 IIS 4.0 and the hotfix for Microsoft Windows 2000 Server and Advanced Server, IIS 5.0 are available from the respective Microsoft TechNet Security pages.
Symantec Solutions:
Symantec offers multiple options to check for and help protect against this threat and the underlying vulnerability for both consumer and corporate users of Symantec products. For details on the detection updates available as well as worm removal tools, see the Additional Information section of the CodeRed Write-Up.
Copyright (c) 2001 by Symantec Corp.
Permission to redistribute this Alert electronically is granted as long as it is not edited in any way unless authorized by the SARC. Reprinting the whole or part of this Alert in medium other than electronically requires permission from Symantec.
Disclaimer:
The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information.
Symantec, Symantec product names and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
For security issues, contact symsecurity@symantec.com. SymSecurity PGP Key is available from MIT's PGP key server as well as from Certserver.pgp.com.
