Advisory ID: cisco-sa-20030125-worm
For Public Release 2003 January 25 14:00 UTC (GMT)
Vulnerability Scoring Details
Software Versions and Fixes
Obtaining Fixed Software
Exploitation and Public Announcements
Status of this Notice: Final
Cisco Security Procedures
Currently Cisco customers experience attacks due to a new worm that has hit the Internet. The signature of this worm appears as high volumes of User Datagram Protocol (UDP) traffic to the port 1434. The customers who are affected encounter high volumes of traffic from both internal and external systems. The symptoms on Cisco devices include, but are not limited to high CPU and traffic drops on the input interfaces.
The worm has been referenced by several names, which include Slammer, Sapphire, and "MS SQL worm".
You may see instability in networks due to increased load. The traffic load generated by this worm is very high..
This section provides details on affected products.
For more information about Cisco products which are affected directly by this worm , refer to http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030126-ms02-061.
No other Cisco products are currently known to be affected by these vulnerabilities.
The TCP port 1433 and UDP port 1434 are used for Structured Query Language (SQL) server traffic. A new worm targets the UDP port 1434 and attempts to exploit a buffer overflow vulnerability in Microsoft's SQL server.
Microsoft has issued a security advisory about this issue. For more details, refer to http://www.microsoft.com/technet/security/alerts/slammer.mspx .
CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding CVSS at
Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at
Under the Microsoft operating system, the UDP port 1434 can be blocked by means of an IPSec policy under the Microsoft operating system.
This document details mitigation techniques to block and filter the UDP port 1434 traffic with the help of Cisco devices.
When you consider software upgrades, for consultation refer to http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution.
In all cases, the customers must exercise caution to make certain the devices upgraded contain sufficient memory and that the current hardware and software configurations are still supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) for assistance.
Thus far the best mitigation is to block inbound and outbound traffic destined to the UDP port 1434. You must be careful to minimize the impact on mission critical services 1434/UDP and 1433/TCP which are legitimately used by Microsoft SQL Server. Before the traffic is blocked to these ports, completely make sure that the possible implications to your network are understood. Once the UDP port 1434 is blocked completely, the spread of the worm in its current form is contained. The affected systems are still infected and able to spread within the contained section of the network, therefore Cisco advises that all affected servers be patched in accordance with Microsoft's recommendations.
For information about strategies to protect against Distributed Denial of Service attacks, refer to http://www.cisco.com/warp/public/707/newsflash.html.
Note: These workarounds previously blocked both ports 1433 and 1434, although there is no evidence that if you block port 1433 this has any effect on the attack.Cisco has been alerted that mission critical services, such as IP phone networks, require traffic to flow on port 1433 and has corrected the recommended access control lists (ACLs) accordingly.
Caution: As with any configuration change in a network, ,you must evaluate the impact of this configuration.before you make the change.
This workaround applies to most router platforms unless a platform is mentioned specifically.
Note: In order to track the source addresses, you must usethe Sampled NetFlow, rather than "log" statements in ACLs as the high traffic in combination with the log statement can overwhelm the router.
access-list 115 deny udpUDP any any eq 1434
access-list 115 permit
ip any any int <interface>
ip access-group 115 in
ip access-group 115 out
The worm attempts to send packets to random IP addresses, some of which possibly do not exist. When that occurs, the router replies with an "ICMP unreachable" packet. In some cases, areply to a large number of requests with invalid IP addresses can result in degradation of the router's performance. To prevent such an occurrences, issue these commands:
Router(config)# interface <interface> Router(if-config)# no ip unreachables
Caution: Some configurations, such as certain types of tunnel structures, require the use of ip unreachables. If the router must be able to send "ICMP unreachable" packets, you can rate limit the number of replies with the help of this command:
Router(config)# ip icmp rate-limit unreachable <millisecond>
In Cisco IOS 12.0 and later, the default rate limit is set to two packets per second.
Receive ACL Feature On a Cisco 12000 (GSR) series router, packets destined to the router's IP addresses are punted to the gigabit route processor (GRP) in order to process. In order to protect the GRP, receive ACLs (rACLs) can be applied. The rACLs filter traffic destined to the GRP and only traffic explicitly permitted is processed by the GRP; the denied traffic is dropped. In general, rACLs do not affect transit traffic (traffic that flows through a router), only traffic destined to the router itself.
The rACLs are an extremely effective countermeasure to mitigate the effects of excessive attack traffic destined to the GRP. For more information, refer to GSR: Receive Access Control Lists.
For simplicity and consistency, Cisco advises you the use of IOS ACLs on the Cisco Catalyst 4000 with a Sup3 and Hybrid and Native configurations of the Cisco Catalyst 6500. Additionally, Cisco advises the use of no ipIP unreachables command.
If you have already applied for the VACL configuration originally found in this page, it is effective and does not need to be changed. The Catalyst 6000 can use IOS ACLs; but for some configurations, VACLs are indicated.
Note: As you make configuration changes, use caution when you use VACLs in conjunction with IOS ACLs.
set security acl ip WORM deny udp any any eq 1434
set security acl ip WORM permit any
commit security acl WORM
set security acl map WORM
show security acl info all
clear security acl WORM
commit security acl WORM
MLS statistics can help track down infected hosts. NetFlow must be enabled in full flow to see source and destination ports, as in this example:
switch> (enable) sh mls statistics entry ip Last Used Destination IP Source IP Prot DstPrt SrcPrt Stat-Pkts Stat-Bytes ---------------- --------------- ----- ------ ------ ---------- --------------- 10.81.176.91 172.16.34.35 UDP 1434 2776 0 0 172.31.171.82 172.16.34.35 UDP 1434 2776 0 0 18.104.22.168 172.16.188.61 UDP 1434 3460 1 404 172.17.136.55 172.16.34.135 UDP 1434 2917 0 0
Apply the IOS ACL on switch virtual interfaces (SVIs), which are Layer 3 interfaces to VLANs; on physical Layer 3 interfaces; and on Layer 3 EtherChannel interfaces in both the inbound and outbound direction. You must make sure that no ip unreachable is configured on the interface.
Apply the IOS ACL to Layer 2 interfaces on the switch only if an IOS ACL is not also applied to the input of a Layer 3 interface (an error message is generated upon attempts to do so). For Layer2, interfaces the IOS ACL is supported on the physical interfaces only and not on EtherChannel interfaces. It can be applied on the inbound direction only.
Apply the IOS ACL to the interface. Note that ACL's are only supported in the inbound direction. In ordee to apply ACLs to physical interfaces, the enhanced software image (EI) must be installed.
These are Layer 2 switches with no Layer 3 ACLs support.
Generally the PIX blocks this worm attempt unless it is explicitly configured to permit access to MS-SQL services as in these examples:
access-list acl_out permit UDP any host <address> eq 1434
or in previous versions of the PIX software:
conduit permit UDP any any eq 1434
These commands permit this worm to connect to the server at <address>. If it is not possible to patch the affected servers, Cisco advises you to close those ports by setting the statements to deny instead of permit, or removing the commands completely.
Additionally, customers must deny outbound attempts to these ports:
access-list acl_inside deny udp any any eq 1434
or the corresponding outbound lists, but Cisco strongly advises ACLs in lieu of outbound lists.
If a Cisco Secure Intrusion Detection System (CSIDs) is in use, a signature update file is available at http://www.cisco.com/pcgi-bin/tablebuild.pl/ids-appsens.
Alternatively, a custom signature string can be added to address this worm. Brief instructions are included here:
Tune Signature Parameters : CSIDS Signature Wizard ___________________________________________________________________________ Current Signature: Engine STRING.UDP SIGID 2nnnn (any number between 20000 and 50000) SigName: SQL Slammer ___________________________________________________________________________ 0 - Edit ALL Parameters 1 - AlarmInterval = 2 - AlarmThrottle = FireAll 3 - ChokeThreshold = 4 - Direction = ToService 5 - FlipAddr = 6 - LimitSummary = 7 - MaxInspectLength = 360 8 - MinHits = 9 - MinMatchLength = 10 * RegexString = \x04\x01\x01\x01\x01\x01.*[.][Dd][Ll][Ll] 11 - ResetAfterIdle = 15 12 * ServicePorts = 1434 13 - SigComment = 14 - SigName = SQL Slammer 15 - SigStringInfo = 16 - ThrottleInterval = 15 17 - WantFrag =
Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml.
Do not contact either "firstname.lastname@example.org" or "email@example.com" for software upgrades.
Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed.
Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows.
- +1 800 553 2447 (toll free from within North America)
- +1 408 526 7209 (toll call from anywhere in the world)
- e-mail: firstname.lastname@example.org
Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC.
Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages.
This issue is being exploited andis discussed in numerous public announcements and messages. References include:
Some Cisco products are affected by this worm. For consultation, refer to Cisco Security Advisory: Microsoft SQL Server 2000 Vulnerabilities in Cisco Products - MS02-061.
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
This notice is posted on Cisco's worldwide website at http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20030125-worm. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to these e-mail and Usenet news recipients:
- email@example.com (includes CERT/CC)
- Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's worldwide web. The users concerned about this problem are encouraged to check the URL given for any updates.
Corrected VACL recommendations to remove source port 1434; clarified NetFlow requirement for MLS output; clarified Sampled NetFlow for tracking.
Updates to Workarounds section: Moved "VACL on 6500" section, added in VACL config example, removed duplicate, untitled VACL on 6500 section, added in additional switch configuration notes. Corrected formatting in CIDS section. Added in multiple cautions on "IP Unreachables", which include the affect on configurations that require ip unreach - such as tunnels.
Updates to Details section: changed port 1433 and 1434 information Updates to Workarounds section: Added "VACL on the 6500" section, changed the configuration example Update to PIX section: changed how the commands will permit this worm to connect to the server Update to Cisco Intrusion Detection System (CSIDS) Signature section: changed the URL
Updates to Summary section: added link to companion document. Updates to the Workaround section: removed section on VACL on the 6500
Updates to Microsoft link in Details section. Updates to the Workaround section: added new paragraph after first paragraph, added new information on ACL for IOS Updates to Exploitation section: added new paragraph with link. Updates to Security Procedures: removed the sentence "Information regarding ...."
Updates to the workaround section, which include information on PIX, Cisco Intrusion Detection System (CSIDS), and updates to all ACLs and VACLs, changing the UDP 1433 to TCP 1433, and 1433 was removed altogether due to impact to critical applications. Updates to the summary section to reflect updated information. Changed Advisory to Notice, as this document reflects mitigation and does not reflect affected products.
Initial public release.
If you have any new information that would be of use to us, send an email to firstname.lastname@example.org.
Complete information on how to report security vulnerabilities in Cisco products, obtain assistance with security incidents, and register to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries about Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.