Cisco 操作系統IOS存在DLSw拒絕服務漏洞

News

Cisco 操作系統IOS存在DLSw拒絕服務漏洞

【綠盟科技授權，賽迪發佈，謝絕任何網站轉載，違者，賽迪網將保留追究其法律責任的權利！】

【賽迪網-IT技術報道】Cisco IOS在處理UDP和IP 91協議報文時存在多個漏洞，這些漏洞不影響TCP報文處理，成功攻擊可能導致系統重啟或設備記憶體洩露，造成拒絕服務的情況。

發佈日期：2008-03-26

更新日期：2008-04-08

受影響系統：

Cisco IOS 12.4

Cisco IOS 12.3

Cisco IOS 12.2

Cisco IOS 12.1

Cisco IOS 12.0

描述：

--------------------------------------------------------------------------------

BUGTRAQ ID: 28465

CVE(CAN) ID: CVE-2008-1152

Cisco IOS是思科網絡設備中所使用的互聯網操作系統。

資料-鏈路交換（DLSw）允許通過IP網絡傳輸IBM系統網絡架構（SNA）和網絡基本輸入/輸出系統（NetBIOS）通訊。Cisco的DLSw實現還使用UDP 2067端口和IP 91協議進行快速順序傳輸（FST）。

Cisco IOS在處理UDP和IP 91協議報文時存在多個漏洞，這些漏洞不影響TCP報文處理，成功攻擊可能導致系統重啟或設備記憶體洩露，造成拒絕服務的情況。

<*來源：Cisco安全公告

鏈接：http://secunia.com/advisories/29507/

http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml

http://www.us-cert.gov/cas/techalerts/TA08-087B.html

建議：

--------------------------------------------------------------------------------

臨時解決方法：

* 如下配置iACL

!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets    !--- from trusted hosts destined to infrastructure addresses.        access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067    access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK         !--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from     !--- all other sources destined to infrastructure addresses.        access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067    access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK        !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance    !--- with existing security policies and configurations    !--- Permit all other traffic to transit the device.        access-list 150 permit ip any any    interface serial 2/0     ip access-group 150 in

* 如下配置控制面整形（CoPP）

!--- Deny DLSw traffic from trusted hosts to all IP addresses    !--- configured on all interfaces of the affected device so that    !--- it will be allowed by the CoPP feature        access-list 111 deny udp host 192.168.100.1 any eq 2067    access-list 111 deny 91 host 192.168.100.1 any        !--- Permit all other DLSw traffic sent to all IP addresses    !--- configured on all interfaces of the affected device so that it    !--- will be policed and dropped by the CoPP feature        access-list 111 permit udp any any eq 2067    access-list 111 permit 91 any any         !--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4    !--- traffic in accordance with existing security policies and    !--- configurations for traffic that is authorized to be sent    !--- to infrastructure devices    !--- Create a Class-Map for traffic to be policed by    !--- the CoPP feature        class-map match-all drop-DLSw-class     match access-group 111        !--- Create a Policy-Map that will be applied to the    !--- Control-Plane of the device.        policy-map drop-DLSw-traffic     class drop-DLSw-class      drop        !--- Apply the Policy-Map to the Control-Plane of the    !--- device        control-plane     service-policy input drop-DLSw-traffic

請注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同：

policy-map drop-DLSw-traffic     class drop-DLSw-class      police 32000 1500 1500 conform-action drop exceed-action drop

廠商補丁：

Cisco

-----

Cisco已經為此發佈了一個安全公告（cisco-sa-20080326-dlsw）以及相應補丁:

cisco-sa-20080326-dlsw：Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS

鏈接：http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml

(

回上頁回首頁

免費客服專線

0800-600-386

【直營地點】
台北資料救援：115台北市南港區三重路19-11號E棟(南港軟體園區)
新竹資料救援：300新竹市東區光復路二段156號
新竹科學園區資料救援：新竹科學工業園區新安路5號4樓 (鴻海大樓裡面)
台南資料救援：700台南市中西區北門路一段57號 TEL:06-505-0005