Guest

Cisco Unified IP Phone 7900 Series

Field Notice: "Code Red" Affecting Cisco CP-79xx Series IP Phones


August 17, 2001



Products Affected

Product

Comments

CP-7910

Cisco IP Phone

CP-7940

Cisco IP Phone

CP-7960

Cisco IP Phone

Problem Description

IP Telephony networks that have been infected with the "Code Red" worm (see the Cisco Security Advisory for more information) flood the network with malformed IP packets addressed to port 80. CP-79xx IP phones listen to port 80 and can become overwhelmed by the flood until internal buffers are overloaded, or otherwise affected by the IP payload. This problem exists in both the 3.0.(x) and 3.1.(x) versions of Cisco CallManager.

Background

Several users reported a problem with the CP-79xx phones after their network was attacked by the "Code Red" worm. The IP phones were not infected, and were not perpetuating the attack. Rather they were affected by the IP packets that were transmitted by the offending server.

Some cases of "Code Red" did not result in the reset of partial services on the phone. This was due to several factors including proper network design and configuration, current firmware defenses against malicious packets, and speed of recovery.

However, code was re-examined to further protect the devices from this and future variants of viruses. These code improvements include closing certain ports to traffic, limiting the number of allowable sessions, and improving buffer overflow code.

Problem Symptoms

The symptoms depend on the CallManager version you are running.

CallManager 3.0.(x):

Firmware load accepts IP traffic on port 80, however this is not required for typical phone operation. Tests indicate that under certain attacks the phone may reset or disable network-based directories and certain "services".

CallManager 3.1.(1):

Firmware load requires listening on port 80. Tests again indicate that while under attack phones may reset or disable network-based directories and certain "services". In addition, if the phone is either reset or fails over to a secondary CallManager during the attack, it results in a failure to connect to a CallManager leaving the phone in a "dead" state.

Workaround/Solution

The current workarounds include new firmware loads for both versions of CallManager.

To follow the Software Center links below, you must be a registered user and you must be logged in.

CallManager 3.0.(x):

Since there is no requirement for port 80, a new load has been built that effectively discards any traffic arriving on port 80. This load is currently available at http://www.cisco.com/cgi-bin/tablebuild.pl/callmgr as a "3.0(11)spA" for CallManager 3.0.(11). Refer to the included "readme.txt" file for installation and confirmation instructions.

CallManager 3.1.(x):

Listening to port 80 in this firmware load is required so a different type of defense mechanism is required. The new firmware load continues to accept packets destined for port 80. However, it limits the number of sockets available, and the recovery methods invoked, in order to minimize any effects on the phone. This new firmware load is also available at http://www.cisco.com/tacpage/sw-center/telephony/crypto/voice-apps/ (registered customers only) and includes installation and confirmation instructions.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods: