Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞，这些漏洞不影响TCP报文处理，成功攻击可能导致系统重启或设备内存泄露，造成拒绝服务的情况。
发布日期：2008-03-26 更新日期：2008-04-08 受影响系统： Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 描述： -------------------------------------------------------------------------------- BUGTRAQ ID: 28465 CVE(CAN) ID: CVE-2008-1152 Cisco IOS是思科网络设备中所使用的互联网操作系统。 数据-链路交换（DLSw）允许通过IP网络传输IBM系统网络架构（SNA）和网络基本输入/输出系统（NetBIOS）通讯。Cisco的DLSw实现还使用UDP 2067端口和IP 91协 议进行快速顺序传输（FST）。 Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞，这些漏洞不影响TCP报文处理，成功攻击可能导致系统重启或设备内存泄露，造成拒绝服务的情况。 <*来源：Cisco安全公告 链接：http://secunia.com/advisories/29507/ http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml http://www.us-cert.gov/cas/techalerts/TA08-087B.html *> 建议： -------------------------------------------------------------------------------- 临时解决方法： * 如下配置iACL
!--- Permit DLSw (UDP port 2067 and IP protocol 91) packets
    !--- from trusted hosts destined to infrastructure addresses.
   
    access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067
    access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
   
    !--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from
    !--- all other sources destined to infrastructure addresses.
   
    access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067
    access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK
   
    !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
    !--- with existing security policies and configurations
    !--- Permit all other traffic to transit the device.
   
    access-list 150 permit ip any any
    interface serial 2/0
     ip access-group 150 in
* 如下配置控制面整形（CoPP）
!--- Deny DLSw traffic from trusted hosts to all IP addresses
    !--- configured on all interfaces of the affected device so that
    !--- it will be allowed by the CoPP feature
   
    access-list 111 deny udp host 192.168.100.1 any eq 2067
    access-list 111 deny 91 host 192.168.100.1 any
   
    !--- Permit all other DLSw traffic sent to all IP addresses
    !--- configured on all interfaces of the affected device so that it
    !--- will be policed and dropped by the CoPP feature
   
    access-list 111 permit udp any any eq 2067
    access-list 111 permit 91 any any
   
    !--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
    !--- traffic in accordance with existing security policies and
    !--- configurations for traffic that is authorized to be sent
    !--- to infrastructure devices
    !--- Create a Class-Map for traffic to be policed by
    !--- the CoPP feature
   
    class-map match-all drop-DLSw-class
     match access-group 111
   
    !--- Create a Policy-Map that will be applied to the
    !--- Control-Plane of the device.
   
    policy-map drop-DLSw-traffic
     class drop-DLSw-class
      drop
   
    !--- Apply the Policy-Map to the Control-Plane of the
    !--- device
   
    control-plane
     service-policy input drop-DLSw-traffic
请注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同：
policy-map drop-DLSw-traffic
     class drop-DLSw-class
      police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁： Cisco ----- Cisco已经为此发布了一个安全公告（cisco-sa-20080326-dlsw）以及相应补丁: cisco-sa-20080326-dlsw：Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS 链接：http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml


来源：https://www.jb51.net/hack/5411.html
免责声明：如果侵犯了您的权益，请联系站长，我们会及时删除侵权内容，谢谢合作！