Cisco 操作系统IOS存在DLSw拒绝服务漏洞
发布日期:2008-03-26
更新日期:2008-04-08
受影响系统:
Cisco IOS 12.4
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 28465
CVE(CAN) ID: CVE-2008-1152
Cisco IOS是思科网络设备中所使用的互联网操作系统。
数据-链路交换(DLSw)允许通过IP网络传输IBM系统网络架构(SNA)和网络基本输入/输出系统(NetBIOS)通讯。Cisco的DLSw实现还使用UDP 2067端口和IP 91协 议进行快速顺序传输(FST)。
Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功安全可能导致系统重启或设备内存泄露,造成拒绝服务的情况。
<*来源:Cisco安全公告
链接:http://secunia.com/advisories/29507/
http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml
http://www.us-cert.gov/cas/techalerts/TA08-087B.html
*>
建议:
--------------------------------------------------------------------------------
临时解决方法:
* 如下配置iACL
!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets !--- from trusted hosts destined to infrastructure addresses. access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067 access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK !--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from !--- all other sources destined to infrastructure addresses. access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067 access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance !--- with existing security policies and configurations !--- Permit all other traffic to transit the device. access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in
* 如下配置控制面整形(CoPP)
!--- Deny DLSw traffic from trusted hosts to all IP addresses !--- configured on all interfaces of the affected device so that !--- it will be allowed by the CoPP feature access-list 111 deny udp host 192.168.100.1 any eq 2067 access-list 111 deny 91 host 192.168.100.1 any !--- Permit all other DLSw traffic sent to all IP addresses !--- configured on all interfaces of the affected device so that it !--- will be policed and dropped by the CoPP feature access-list 111 permit udp any any eq 2067 access-list 111 permit 91 any any !--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4 !--- traffic in accordance with existing security policies and !--- configurations for traffic that is authorized to be sent !--- to infrastructure devices !--- Create a Class-Map for traffic to be policed by !--- the CoPP feature class-map match-all drop-DLSw-class match access-group 111 !--- Create a Policy-Map that will be applied to the !--- Control-Plane of the device. policy-map drop-DLSw-traffic class drop-DLSw-class drop !--- Apply the Policy-Map to the Control-Plane of the !--- device control-plane service-policy input drop-DLSw-traffic
请注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同:
policy-map drop-DLSw-traffic class drop-DLSw-class police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20080326-dlsw)以及相应补丁:
cisco-sa-20080326-dlsw:Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml