Local Cisco customers cut down by Blaster worm
- — 19 August, 2003 12:01
Users of some Cisco Systems' products have been shocked to discover that the Blaster worm that has been burrowing its way into Microsoft's Windows-enabled systems around the world is also affecting some Cisco gear.
Some local Australian companies have even been affected to the point where not only their data services, but also their voice services (such as phone systems) were affected by the worm.
Organisations running Cisco’s Voice over IP telephony solutions were affected by the worm because Cisco voice management products (such as CallManager) were deployed on Windows-based servers.
An IT manager at Sydney-based systems integrator Logical Networks, Dermott McCann, said that several Cisco users had reported infections, and that the integrator itself had discovered infections in some of its non-essential servers.
“The [Cisco software] is susceptible to the virus as effectively it is running on Windows 2000 server,” he said. “If the server goes down, your phones go down.”
Cisco Systems has made a patch available from its Web site – but this is a separate fix to the patch released by Microsoft.
This had confused some users, McCann said.
Cisco said that affected customers had experienced high volumes of traffic from both internal and external systems, and symptoms included, but were not limited to, high CPU and traffic drops on the input interfaces.
The company said that the signature of the Blaster worm appeared as UDP traffic to Port 69 and as high volumes of traffic to Port 135 and 4444. The effects of the worm could be assuaged by blocking the ports it used to multiply itself, scanning for new infections, and by propagating the executable code.
However, blocking these ports might have side effects including disabling file sharing functionality within the network, breaking existing TFTP functionality within the network, and blocking existing Kerberos authentication functions and Oracle 9i implementations, the company said.
The following products require a patch from Cisco: Cisco CallManager; Cisco Building Broadband Service Manager v5.1, v5.2 and HotSpot 1.0; Cisco Response Application Server; Cisco Personal Assistant; Cisco Conference Connection; Cisco Emergency Responder.
Cisco also recommends that users, who have Cisco products that run on a Microsoft operating system, also load the patch from Microsoft, at www.microsoft.com.
For a list of Cisco affected products visit http://www.cisco.com/warp/public/707/cisco-sn-20030814-blaster.shtml.