Cisco Security Advisory-
Currently Cisco customers experience attacks due to a new worm that has hit the Internet. The signature of this worm appears as high volumes of User Datagram Protocol (UDP) traffic to the port 1434. The customers who are affected encounter high volumes of traffic from both internal and external systems. The symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces.
The worm has been referenced by several names, which include Slammer, Sapphire, and "MS SQL worm".
You may see instability in networks due to increased load. The traffic load generated by this worm is very high..
-
This section provides details on affected products.
Vulnerable Products
For more information about Cisco products which are affected directly by this worm , refer to https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030126-ms02-061.
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by these vulnerabilities.
-
The TCP port 1433 and UDP port 1434 are used for Structured Query Language (SQL) server traffic. A new worm targets the UDP port 1434 and attempts to exploit a buffer overflow vulnerability in Microsoft's SQL server.
Microsoft has issued a security advisory about this issue. For more details, refer to http://www.microsoft.com/technet/security/alerts/slammer.mspx
.
-
Thus far the best mitigation is to block inbound and outbound traffic destined to the UDP port 1434. You must be careful to minimize the impact on mission critical services 1434/UDP and 1433/TCP which are legitimately used by Microsoft SQL Server. Before the traffic is blocked to these ports, completely make sure that the possible implications to your network are understood. Once the UDP port 1434 is blocked completely, the spread of the worm in its current form is contained. The affected systems are still infected and able to spread within the contained section of the network, therefore Cisco advises that all affected servers be patched in accordance with Microsoft's recommendations.
For information about strategies to protect against Distributed Denial of Service attacks, refer to http://www.cisco.com/warp/public/707/newsflash.html.
Note: These workarounds previously blocked both ports 1433 and 1434, although there is no evidence that if you block port 1433 this has any effect on the attack.Cisco has been alerted that mission critical services, such as IP phone networks, require traffic to flow on port 1433 and has corrected the recommended access control lists (ACLs) accordingly.
Caution: As with any configuration change in a network, ,you must evaluate the
impact of this configuration.before you make the change.ACL for IOS
This workaround applies to most router platforms unless a platform is mentioned specifically.
Note: In order to track the source addresses, you must usethe Sampled NetFlow, rather than "log" statements in ACLs as the high traffic in combination with the log statement can overwhelm the router.
access-list 115 deny udpUDP any any eq 1434
access-list 115 permit
ip any any int <interface>
ip access-group 115 in
ip access-group 115 out
The worm attempts to send packets to random IP addresses, some of which possibly do not exist. When that occurs, the router replies with an "ICMP unreachable" packet. In some cases, areply to a large number of requests with invalid IP addresses can result in degradation of the router's performance. To prevent such an occurrences, issue these commands:
Router(config)# interface <interface> Router(if-config)# no ip unreachables
Caution: Some configurations, such as certain types of tunnel structures,
require the use of ip unreachables. If the router
must be able to send "ICMP unreachable" packets, you can rate limit the number
of replies with the help of this command: Router(config)# ip icmp rate-limit unreachable <millisecond>
In Cisco IOS 12.0 and later, the default rate limit is set to two packets per second.
Cisco 12000
Receive ACL Feature On a Cisco 12000 (GSR) series router, packets destined to the router's IP addresses are punted to the gigabit route processor (GRP) in order to process. In order to protect the GRP, receive ACLs (rACLs) can be applied. The rACLs filter traffic destined to the GRP and only traffic explicitly permitted is processed by the GRP; the denied traffic is dropped. In general, rACLs do not affect transit traffic (traffic that flows through a router), only traffic destined to the router itself.
The rACLs are an extremely effective countermeasure to mitigate the effects of excessive attack traffic destined to the GRP. For more information, refer to GSR: Receive Access Control Lists.
VACL on the 6500
For simplicity and consistency, Cisco advises you the use of IOS ACLs on the Cisco Catalyst 4000 with a Sup3 and Hybrid and Native configurations of the Cisco Catalyst 6500. Additionally, Cisco advises the use of no ipIP unreachables command.
If you have already applied for the VACL configuration originally found in this page, it is effective and does not need to be changed. The Catalyst 6000 can use IOS ACLs; but for some configurations, VACLs are indicated.
Note: As you make configuration changes, use caution when you use VACLs in conjunction with IOS ACLs.
To configure:
set security acl ip WORM deny udp any any eq 1434
set security acl ip WORM permit any
commit security acl WORM
set security acl map WORM
To verify:
show security acl info all
To remove:
clear security acl WORM
commit security acl WORM
CatOS with Sup2 and MLS
MLS statistics can help track down infected hosts. NetFlow must be enabled in full flow to see source and destination ports, as in this example:
switch> (enable) sh mls statistics entry ip Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes ---------------- --------------- ----- ------ ------ ---------- --------------- 10.81.176.91 172.16.34.35 UDP 1434 2776 0 0 172.31.171.82 172.16.34.35 UDP 1434 2776 0 0 168.192.57.204 172.16.188.61 UDP 1434 3460 1 404 172.17.136.55 172.16.34.135 UDP 1434 2917 0 0Catalyst 3550
Apply the IOS ACL on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces in both the inbound and outbound direction. You must make sure that no ip unreachable is configured on the interface.
Apply the IOS ACL to Layer 2 interfaces on the switch only if an IOS ACL is not also applied to the input of a Layer 3 interface (an error message is generated upon attempts to do so). For Layer2, interfaces the IOS ACL is supported on the physical interfaces only and not on EtherChannel interfaces. It can be applied on the inbound direction only.
Catalyst 2950
Apply the IOS ACL to the interface. Note that ACL's are only supported in the inbound direction. In ordee to apply ACLs to physical interfaces, the enhanced software image (EI) must be installed.
Catalyst 2900XL and 3500XL
These are Layer 2 switches with no Layer 3 ACLs support.
PIX
Generally the PIX blocks this worm attempt unless it is explicitly configured to permit access to MS-SQL services as in these examples:
access-list acl_out permit UDP any host <address> eq 1434
or in previous versions of the PIX software:
conduit permit UDP any any eq 1434
These commands permit this worm to connect to the server at <address>. If it is not possible to patch the affected servers, Cisco advises you to close those ports by setting the statements to deny instead of permit, or removing the commands completely.
Additionally, customers must deny outbound attempts to these ports:
access-list acl_inside deny udp any any eq 1434
or the corresponding outbound lists, but Cisco strongly advises ACLs in lieu of outbound lists.
CSIDS Signature
If a Cisco Secure Intrusion Detection System (CSIDs) is in use, a signature update file is available at http://www.cisco.com/pcgi-bin/tablebuild.pl/ids-appsens.
Alternatively, a custom signature string can be added to address this worm. Brief instructions are included here:
Tune Signature Parameters : CSIDS Signature Wizard ___________________________________________________________________________ Current Signature: Engine STRING.UDP SIGID 2nnnn (any number between 20000 and 50000) SigName: SQL Slammer ___________________________________________________________________________ 0 - Edit ALL Parameters 1 - AlarmInterval = 2 - AlarmThrottle = FireAll 3 - ChokeThreshold = 4 - Direction = ToService 5 - FlipAddr = 6 - LimitSummary = 7 - MaxInspectLength = 360 8 - MinHits = 9 - MinMatchLength = 10 * RegexString = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll] 11 - ResetAfterIdle = 15 12 * ServicePorts = 1434 13 - SigComment = 14 - SigName = SQL Slammer 15 - SigStringInfo = 16 - ThrottleInterval = 15 17 - WantFrag =
-
When you consider software upgrades, for consultation refer to http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, the customers must exercise caution to make certain the devices upgraded contain sufficient memory and that the current hardware and software configurations are still supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) for assistance.
-
This issue is being exploited andis discussed in numerous public announcements and messages. References include:
-
http://www.cert.org/advisories/CA-2003-04.html
-
http://www.eeye.com/html/Research/Flash/AL20030125.html
Some Cisco products are affected by this worm. For consultation, refer to Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061.
-
http://www.cert.org/advisories/CA-2003-04.html
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Revision 1.6
2003-February-13
Corrected VACL recommendations to remove source port 1434; clarified NetFlow requirement for MLS output; clarified Sampled NetFlow for tracking.
Revision 1.5
2003-January-28
Updates to Workarounds section: Moved "VACL on 6500" section, added in VACL config example, removed duplicate, untitled VACL on 6500 section, added in additional switch configuration notes. Corrected formatting in CIDS section. Added in multiple cautions on "IP Unreachables", which include the affect on configurations that require ip unreach - such as tunnels.
Revision 1.4
2003-January-27
Updates to Details section: changed port 1433 and 1434 information Updates to Workarounds section: Added "VACL on the 6500" section, changed the configuration example Update to PIX section: changed how the commands will permit this worm to connect to the server Update to Cisco Intrusion Detection System (CSIDS) Signature section: changed the URL
Revision 1.3
2003-January-26
Updates to Summary section: added link to companion document. Updates to the Workaround section: removed section on VACL on the 6500
Revision 1.2
2003-January-26
Updates to Microsoft link in Details section. Updates to the Workaround section: added new paragraph after first paragraph, added new information on ACL for IOS Updates to Exploitation section: added new paragraph with link. Updates to Security Procedures: removed the sentence "Information regarding ...."
Revision 1.1
2003-January-25
Updates to the workaround section, which include information on PIX, Cisco Intrusion Detection System (CSIDS), and updates to all ACLs and VACLs, changing the UDP 1433 to TCP 1433, and 1433 was removed altogether due to impact to critical applications. Updates to the summary section to reflect updated information. Changed Advisory to Notice, as this document reflects mitigation and does not reflect affected products.
Revision 1.0
2003-January-25
Initial public release.
Show Less
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy, and may lack important information or contain factual errors. The information in this document is intended for end-users of Cisco products.