Cisco 操作系统IOS存在DLSw拒绝服务漏洞
程序员文章站
2022-03-29 11:05:42
Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。
发布日期:2008-03-26
更新... 08-10-08...
cisco ios在处理udp和ip 91协议报文时存在多个漏洞,这些漏洞不影响tcp报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。
发布日期:2008-03-26 更新日期:2008-04-08 受影响系统: cisco ios 12.4 cisco ios 12.3 cisco ios 12.2 cisco ios 12.1 cisco ios 12.0 描述: -------------------------------------------------------------------------------- bugtraq id: 28465 cve(can) id: cve-2008-1152 cisco ios是思科网络设备中所使用的互联网操作系统。 数据-链路交换(dlsw)允许通过ip网络传输ibm系统网络架构(sna)和网络基本输入/输出系统(netbios)通讯。cisco的dlsw实现还使用udp 2067端口和ip 91协 议进行快速顺序传输(fst)。 cisco ios在处理udp和ip 91协议报文时存在多个漏洞,这些漏洞不影响tcp报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。 <*来源:cisco安全公告 链接:http://secunia.com/advisories/29507/ http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml http://www.us-cert.gov/cas/techalerts/ta08-087b.html *> 建议: -------------------------------------------------------------------------------- 临时解决方法: * 如下配置iacl
!--- permit dlsw (udp port 2067 and ip protocol 91) packets
!--- from trusted hosts destined to infrastructure addresses.
access-list 150 permit udp trusted_hosts mask infrastructure_addresses mask eq 2067
access-list 150 permit 91 trusted_hosts mask infrastructure_addresses mask
!--- deny dlsw (udp port 2067 and ip protocol 91) packets from
!--- all other sources destined to infrastructure addresses.
access-list 150 deny udp any infrastructure_addresses mask eq 2067
access-list 150 deny 91 any infrastructure_addresses mask
!--- permit/deny all other layer 3 and layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- permit all other traffic to transit the device.
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
* 如下配置控制面整形(copp)
!--- deny dlsw traffic from trusted hosts to all ip addresses
!--- configured on all interfaces of the affected device so that
!--- it will be allowed by the copp feature
access-list 111 deny udp host 192.168.100.1 any eq 2067
access-list 111 deny 91 host 192.168.100.1 any
!--- permit all other dlsw traffic sent to all ip addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the copp feature
access-list 111 permit udp any any eq 2067
access-list 111 permit 91 any any
!--- permit (police or drop)/deny (allow) all other layer 3 and layer 4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- create a class-map for traffic to be policed by
!--- the copp feature
class-map match-all drop-dlsw-class
match access-group 111
!--- create a policy-map that will be applied to the
!--- control-plane of the device.
policy-map drop-dlsw-traffic
class drop-dlsw-class
drop
!--- apply the policy-map to the control-plane of the
!--- device
control-plane
service-policy input drop-dlsw-traffic
请注意在cisco ios 12.2s和12.0s系列中policy-map句法有所不同:
policy-map drop-dlsw-traffic
class drop-dlsw-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁: cisco ----- cisco已经为此发布了一个安全公告(cisco-sa-20080326-dlsw)以及相应补丁: cisco-sa-20080326-dlsw:multiple dlsw denial of service vulnerabilities in cisco ios 链接:http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
发布日期:2008-03-26 更新日期:2008-04-08 受影响系统: cisco ios 12.4 cisco ios 12.3 cisco ios 12.2 cisco ios 12.1 cisco ios 12.0 描述: -------------------------------------------------------------------------------- bugtraq id: 28465 cve(can) id: cve-2008-1152 cisco ios是思科网络设备中所使用的互联网操作系统。 数据-链路交换(dlsw)允许通过ip网络传输ibm系统网络架构(sna)和网络基本输入/输出系统(netbios)通讯。cisco的dlsw实现还使用udp 2067端口和ip 91协 议进行快速顺序传输(fst)。 cisco ios在处理udp和ip 91协议报文时存在多个漏洞,这些漏洞不影响tcp报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。 <*来源:cisco安全公告 链接:http://secunia.com/advisories/29507/ http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml http://www.us-cert.gov/cas/techalerts/ta08-087b.html *> 建议: -------------------------------------------------------------------------------- 临时解决方法: * 如下配置iacl
!--- permit dlsw (udp port 2067 and ip protocol 91) packets
!--- from trusted hosts destined to infrastructure addresses.
access-list 150 permit udp trusted_hosts mask infrastructure_addresses mask eq 2067
access-list 150 permit 91 trusted_hosts mask infrastructure_addresses mask
!--- deny dlsw (udp port 2067 and ip protocol 91) packets from
!--- all other sources destined to infrastructure addresses.
access-list 150 deny udp any infrastructure_addresses mask eq 2067
access-list 150 deny 91 any infrastructure_addresses mask
!--- permit/deny all other layer 3 and layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- permit all other traffic to transit the device.
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
* 如下配置控制面整形(copp)
!--- deny dlsw traffic from trusted hosts to all ip addresses
!--- configured on all interfaces of the affected device so that
!--- it will be allowed by the copp feature
access-list 111 deny udp host 192.168.100.1 any eq 2067
access-list 111 deny 91 host 192.168.100.1 any
!--- permit all other dlsw traffic sent to all ip addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the copp feature
access-list 111 permit udp any any eq 2067
access-list 111 permit 91 any any
!--- permit (police or drop)/deny (allow) all other layer 3 and layer 4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- create a class-map for traffic to be policed by
!--- the copp feature
class-map match-all drop-dlsw-class
match access-group 111
!--- create a policy-map that will be applied to the
!--- control-plane of the device.
policy-map drop-dlsw-traffic
class drop-dlsw-class
drop
!--- apply the policy-map to the control-plane of the
!--- device
control-plane
service-policy input drop-dlsw-traffic
请注意在cisco ios 12.2s和12.0s系列中policy-map句法有所不同:
policy-map drop-dlsw-traffic
class drop-dlsw-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁: cisco ----- cisco已经为此发布了一个安全公告(cisco-sa-20080326-dlsw)以及相应补丁: cisco-sa-20080326-dlsw:multiple dlsw denial of service vulnerabilities in cisco ios 链接:http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml