We recommend following the instructions in the Microsoft security
bulletin for addressing the actual vulnerability in IIS.
Workaround for CSS11000 Series Products
The memory allocation problem on the CSS 11000 Content Service Switches
can be worked around by restricting XML access as shown:
To disable web management on port 80, set the web management port to
some number greater than 1024, and configure the web remote address for a
set web port number_greater-than_1024
set web remote 10.10.10.10
For the AP4800 series and Aironet Bridge devices, from the management
console, select option 1 (Configuration Menu), then select
option 4 (console menu), then check the setting of option
5 (Http). If setting is OFF, then web management is disabled.
If setting is ON, select option 5 (Http) to toggle setting to
To avoid unnecessary handling of HTTP requests by Cisco routers running
IOS, disable the HTTP server by applying:
no ip http server
while in global configuration mode. If HTTP service is needed, consider
restricting access by applying an access list command.
Utilize the NBAR feature in supported Cisco IOS Software versions to
aid in "Code Red" traffic identification and mitigation. This is discussed in
This workaround is applicable in Cisco IOS Software Version 12.1(5)T and later
for many platforms.
Classify inbound Code Red traffic with the class-based marking feature
Router(config)#class-map match-any http-codered
Router(config-cmap)#match protocol http url "*default.ida*"
Router(config-cmap)#match protocol http url "*cmd.exe*"
Router(config-cmap)#match protocol http url "*root.exe*"
Mark inbound Code Red traffic with a policy map.
Once the inbound traffic has been classified as Code Red, it can be
marked with a specific DSCP. For this example, a decimal value of '1' is used
as it is unlikely that any other traffic would be marked with this DSCP.
Router(config-pmap)#set ip dscp 1
Apply the service policy to the 'outside' interface so inbound traffic
will be marked.
Router(config)#int e 0/0
Router(config-if)#service-policy input mark-inbound-http-codered
Block marked Code Red attempts with an ACL. The ACL will match on the
DSCP value of '1' that was marked as the Code Red attempt entered in the box.
Router(config)#access-list 105 deny ip any any dscp 1 log
Router(config)#access-list 105 permit ip any any
Apply it outbound on the 'inside' interface where the target web
Router(config)#int e 0/1
Router(config-if)#ip access-group 105 out
Additionally, Cisco Content Engines or Cisco Cache Engines can be
configured to block "Code Red" associated traffic with a filter ruleset as
Cache Engine/Content Engine
rule block url-regex .*\.ida.*