This is a notice from Cisco about how the Cisco Security Agent "Protects" against the sasser worm. That is for the people who have not patched thier machines.
It has come to my attention that there is some confusion regarding what our CSA for Voice Applications protects against regarding the recent Sasser worm.
Here is what we know so far:
- our policies do prevent sasser from copying itself.
- our policies do prevent sasser from executing.
- our policies do not prevent sasser from crashing LSASS.EXE with a buffer overrun, therefore creating a denial of service attack risk since this crash causes the machine to reboot.
The CSA for Voice Applications policies do include the default bufffer overrun rule from the CSA product, but apparently this was not effective in this case. We are still working with VsecBU on this and will keep you posted once we know more.
In the meantime, even though our custumers that have CSA properly running on their voice application servers will not get infected with Sasser, they need to patch their systems to prevent them from rebooting once/if the worm makes it into the network those servers are directly connected to (firewalls are effective at stoping sasser). We don't know exactly at what rate they are bound to see the DOS attack occur, but we do know it can happen.
Included below you will find instructions on patching customer's servers as per the the announcement posted on customer-ccm-announce@cisco.com on Monday titled:
"Fixes for Sasser Virus (active exploit of MS04-011) for Cisco CallManager and Unity":
Callmanager, CER, PA, etc (non-Unity):
MS04-011 is in 2000.2.5sr7 and sr8 or 2000.2.6 posted on Cisco.com:
http://www.cisco.com/cgi-bin/tablebuild.pl/cmva-3des
For CallManager, please install the win-OS update and do not apply the patch from Microsoft.
Unity:
Since this is not a service pack, you can install the MS04-011 patch directly to a Unity server.
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
Microsoft's Official Page:
http://www.microsoft.com/security/incident/sasser.asp
This page also includes a link to run a program to remove the virus AFTER the patch has been installed.
More information on the virus:
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A
There are at least 3 variants A, AB, and B.
Please let me know if you have further concerns regarding the effect of sasser on our voice application servers.