Cisco 操作系统IOS存在DLSw拒绝服务漏洞
张芳涛 2008-10-07
Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。
发布日期:2008-03-26 更新日期:2008-04-08 受影响系统: Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 28465 CVE(CAN) ID: CVE-2008-1152 Cisco IOS是思科网络设备中所使用的互联网操作系统。 数据-链路交换(DLSw)允许通过IP网络传输IBM系统网络架构(SNA)和网络基本输入/输出系统(NetBIOS)通讯。Cisco的DLSw实现还使用UDP 2067端口和IP 91协 议进行快速顺序传输(FST)。 Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。 <*来源:Cisco安全公告 链接:http://secunia.com/advisories/29507/ http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml http://www.us-cert.gov/cas/techalerts/TA08-087B.html *> 建议: -------------------------------------------------------------------------------- 临时解决方法: * 如下配置iACL
!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets
!--- from trusted hosts destined to infrastructure addresses.
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067
access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
!--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from
!--- all other sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067
access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
* 如下配置控制面整形(CoPP)
!--- Deny DLSw traffic from trusted hosts to all IP addresses
!--- configured on all interfaces of the affected device so that
!--- it will be allowed by the CoPP feature
access-list 111 deny udp host 192.168.100.1 any eq 2067
access-list 111 deny 91 host 192.168.100.1 any
!--- Permit all other DLSw traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any any eq 2067
access-list 111 permit 91 any any
!--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-DLSw-class
match access-group 111
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-DLSw-traffic
class drop-DLSw-class
drop
!--- Apply the Policy-Map to the Control-Plane of the
!--- device
control-plane
service-policy input drop-DLSw-traffic
请注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同:
policy-map drop-DLSw-traffic
class drop-DLSw-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080326-dlsw)以及相应补丁: cisco-sa-20080326-dlsw:Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS 链接:http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
发布日期:2008-03-26 更新日期:2008-04-08 受影响系统: Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 28465 CVE(CAN) ID: CVE-2008-1152 Cisco IOS是思科网络设备中所使用的互联网操作系统。 数据-链路交换(DLSw)允许通过IP网络传输IBM系统网络架构(SNA)和网络基本输入/输出系统(NetBIOS)通讯。Cisco的DLSw实现还使用UDP 2067端口和IP 91协 议进行快速顺序传输(FST)。 Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。 <*来源:Cisco安全公告 链接:http://secunia.com/advisories/29507/ http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml http://www.us-cert.gov/cas/techalerts/TA08-087B.html *> 建议: -------------------------------------------------------------------------------- 临时解决方法: * 如下配置iACL
!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets
!--- from trusted hosts destined to infrastructure addresses.
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067
access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
!--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from
!--- all other sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067
access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
* 如下配置控制面整形(CoPP)
!--- Deny DLSw traffic from trusted hosts to all IP addresses
!--- configured on all interfaces of the affected device so that
!--- it will be allowed by the CoPP feature
access-list 111 deny udp host 192.168.100.1 any eq 2067
access-list 111 deny 91 host 192.168.100.1 any
!--- Permit all other DLSw traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any any eq 2067
access-list 111 permit 91 any any
!--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-DLSw-class
match access-group 111
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-DLSw-traffic
class drop-DLSw-class
drop
!--- Apply the Policy-Map to the Control-Plane of the
!--- device
control-plane
service-policy input drop-DLSw-traffic
请注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同:
policy-map drop-DLSw-traffic
class drop-DLSw-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080326-dlsw)以及相应补丁: cisco-sa-20080326-dlsw:Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS 链接:http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
相关推荐
leitingdulante 0喜欢 / 0评论 2020-11-03
huangkun 0喜欢 / 10评论 2020-10-22
leitingdulante 0喜欢 / 0评论 2020-10-21
硬币0 0喜欢 / 0评论 2020-10-15
moses 0喜欢 / 0评论 2020-09-22
leitingdulante 0喜欢 / 0评论 2020-09-22
ZuoYanDeHuangHun 0喜欢 / 0评论 2020-09-18
chsoft 0喜欢 / 0评论 2020-09-17
fanxiaoxuan 0喜欢 / 0评论 2020-09-17
惠秀宝 0喜欢 / 0评论 2020-09-08
zhousanzhou 0喜欢 / 0评论 2020-08-26
MatrixHero 0喜欢 / 0评论 2020-08-20
xjp 0喜欢 / 0评论 2020-08-17
定格 0喜欢 / 0评论 2020-08-15
Mryiyi 0喜欢 / 0评论 2020-08-07
好好学习天天 0喜欢 / 0评论 2020-07-28
好好学习天天 0喜欢 / 0评论 2020-07-21
Mryiyi 0喜欢 / 0评论 2020-07-08
RocketJ 0喜欢 / 0评论 2020-07-03
ntfsformac 0喜欢 / 0评论 2020-06-23
Terminator0 0喜欢 / 0评论 2020-06-21
zhoutaifeng 0喜欢 / 0评论 2020-06-17
定格 0喜欢 / 0评论 2020-06-16
Oudasheng 0喜欢 / 0评论 2020-06-13
好好学习天天 0喜欢 / 0评论 2020-06-13
好好学习天天 0喜欢 / 0评论 2020-06-12
huningjun 0喜欢 / 0评论 2020-06-12
jscjxysx 0喜欢 / 0评论 2020-06-10
zhoutaifeng 0喜欢 / 0评论 2020-06-07
Charliewolf 0喜欢 / 0评论 2020-06-05
applecarelte 0喜欢 / 0评论 2020-06-05
NineYao 0喜欢 / 0评论 2020-06-04
fanxiaoxuan 0喜欢 / 0评论 2020-06-03
suweierxing 0喜欢 / 0评论 2020-06-02
APCDE 0喜欢 / 0评论 2020-05-31
定格 0喜欢 / 0评论 2020-05-30
疯狂紫萧 0喜欢 / 0评论 2020-05-29
我爱编程 0喜欢 / 0评论 2020-05-21
ITDHW 0喜欢 / 0评论 2020-05-20
moses 0喜欢 / 0评论 2020-05-18
heqiang0 0喜欢 / 0评论 2020-05-10
yaneng 0喜欢 / 0评论 2020-05-09
好好学习天天 0喜欢 / 0评论 2020-05-08
唠叨的老黑 0喜欢 / 0评论 2020-05-08
chenxiangpeng 0喜欢 / 0评论 2020-04-30
Terminator0 0喜欢 / 0评论 2020-04-29
ZuoYanDeHuangHun 0喜欢 / 0评论 2020-04-29
heqiang0 0喜欢 / 0评论 2020-04-22
定格 0喜欢 / 0评论 2020-04-21
zhoutaifeng 0喜欢 / 0评论 2020-04-17