Chinaunix首页 | 论坛 | 博客
  • 博客访问: 3178714
  • 博文数量: 797
  • 博客积分: 10134
  • 博客等级: 上将
  • 技术积分: 9335
  • 用 户 组: 普通用户
  • 注册时间: 2006-06-22 22:57
个人简介

1

文章分类

全部博文(797)

文章存档

2022年(1)

2021年(2)

2017年(2)

2016年(1)

2015年(4)

2014年(1)

2013年(6)

2012年(6)

2011年(10)

2010年(26)

2009年(63)

2008年(61)

2007年(51)

2006年(563)

我的朋友

分类:

2008-04-15 11:01:37

Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。

发布日期:2008-03-26

更新日期:2008-04-08

受影响系统:

Cisco IOS 12.4

Cisco IOS 12.3

Cisco IOS 12.2

Cisco IOS 12.1

Cisco IOS 12.0

描述:

--------------------------------------------------------------------------------

BUGTRAQ ID: 28465

CVE(CAN) ID: CVE-2008-1152

Cisco IOS是思科网络设备中所使用的互联网操作系统。

数据-链路交换(DLSw)允许通过IP网络传输IBM系统网络架构(SNA)和网络基本输入/输出系统(NetBIOS)通讯。Cisco的DLSw实现还使用UDP 2067端口和IP 91协 议进行快速顺序传输(FST)。

Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。

<*来源:Cisco安全公告

链接:http://secunia.com/advisories/29507/

*>

建议:

--------------------------------------------------------------------------------

临时解决方法:

* 如下配置iACL

!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets
    !--- from trusted hosts destined to infrastructure addresses.
    
    access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067
    access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK 
    
    !--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from 
    !--- all other sources destined to infrastructure addresses.
    
    access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067
    access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK
    
    !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
    !--- with existing security policies and configurations
    !--- Permit all other traffic to transit the device.
    
    access-list 150 permit ip any any
    interface serial 2/0
     ip access-group 150 in

* 如下配置控制面整形(CoPP)

!--- Deny DLSw traffic from trusted hosts to all IP addresses
    !--- configured on all interfaces of the affected device so that
    !--- it will be allowed by the CoPP feature
    
    access-list 111 deny udp host 192.168.100.1 any eq 2067
    access-list 111 deny 91 host 192.168.100.1 any
    
    !--- Permit all other DLSw traffic sent to all IP addresses
    !--- configured on all interfaces of the affected device so that it
    !--- will be policed and dropped by the CoPP feature
    
    access-list 111 permit udp any any eq 2067
    access-list 111 permit 91 any any 
    
    !--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
    !--- traffic in accordance with existing security policies and
    !--- configurations for traffic that is authorized to be sent
    !--- to infrastructure devices
    !--- Create a Class-Map for traffic to be policed by
    !--- the CoPP feature
    
    class-map match-all drop-DLSw-class
     match access-group 111
    
    !--- Create a Policy-Map that will be applied to the
    !--- Control-Plane of the device.
    
    policy-map drop-DLSw-traffic
     class drop-DLSw-class
      drop
    
    !--- Apply the Policy-Map to the Control-Plane of the
    !--- device
    
    control-plane
     service-policy input drop-DLSw-traffic

请注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同:

policy-map drop-DLSw-traffic
     class drop-DLSw-class
      police 32000 1500 1500 conform-action drop exceed-action drop

厂商补丁:

Cisco

-----

Cisco已经为此发布了一个安全公告(cisco-sa-20080326-dlsw)以及相应补丁:

cisco-sa-20080326-dlsw:Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS

链接:

阅读(1207) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~