• 设为首页
  • 收藏本站
  • 积分充值
  • VIP赞助
  • 手机版
  • 微博
  • 微信
    微信公众号 添加方式:
    1:搜索微信号(888888
    2:扫描左侧二维码
  • 快捷导航
    福建二哥 门户 查看主题

    Cisco 操作系统IOS存在DLSw拒绝服务漏洞

    发布者: 酸菜鱼 | 发布时间: 2025-6-28 22:56| 查看数: 85| 评论数: 0|帖子模式

    Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。
    发布日期:2008-03-26 更新日期:2008-04-08 受影响系统: Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 描述: -------------------------------------------------------------------------------- BUGTRAQ ID: 28465 CVE(CAN) ID: CVE-2008-1152 Cisco IOS是思科网络设备中所使用的互联网操作系统。 数据-链路交换(DLSw)允许通过IP网络传输IBM系统网络架构(SNA)和网络基本输入/输出系统(NetBIOS)通讯。Cisco的DLSw实现还使用UDP 2067端口和IP 91协 议进行快速顺序传输(FST)。 Cisco IOS在处理UDP和IP 91协议报文时存在多个漏洞,这些漏洞不影响TCP报文处理,成功攻击可能导致系统重启或设备内存泄露,造成拒绝服务的情况。 <*来源:Cisco安全公告 链接:http://secunia.com/advisories/29507/ http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml http://www.us-cert.gov/cas/techalerts/TA08-087B.html *> 建议: -------------------------------------------------------------------------------- 临时解决方法: * 如下配置iACL
    !--- Permit DLSw (UDP port 2067 and IP protocol 91) packets
        !--- from trusted hosts destined to infrastructure addresses.
       
        access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2067
        access-list 150 permit 91 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
       
        !--- Deny DLSw (UDP port 2067 and IP protocol 91) packets from
        !--- all other sources destined to infrastructure addresses.
       
        access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2067
        access-list 150 deny 91 any INFRASTRUCTURE_ADDRESSES MASK
       
        !--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
        !--- with existing security policies and configurations
        !--- Permit all other traffic to transit the device.
       
        access-list 150 permit ip any any
        interface serial 2/0
         ip access-group 150 in
    * 如下配置控制面整形(CoPP)
    !--- Deny DLSw traffic from trusted hosts to all IP addresses
        !--- configured on all interfaces of the affected device so that
        !--- it will be allowed by the CoPP feature
       
        access-list 111 deny udp host 192.168.100.1 any eq 2067
        access-list 111 deny 91 host 192.168.100.1 any
       
        !--- Permit all other DLSw traffic sent to all IP addresses
        !--- configured on all interfaces of the affected device so that it
        !--- will be policed and dropped by the CoPP feature
       
        access-list 111 permit udp any any eq 2067
        access-list 111 permit 91 any any
       
        !--- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
        !--- traffic in accordance with existing security policies and
        !--- configurations for traffic that is authorized to be sent
        !--- to infrastructure devices
        !--- Create a Class-Map for traffic to be policed by
        !--- the CoPP feature
       
        class-map match-all drop-DLSw-class
         match access-group 111
       
        !--- Create a Policy-Map that will be applied to the
        !--- Control-Plane of the device.
       
        policy-map drop-DLSw-traffic
         class drop-DLSw-class
          drop
       
        !--- Apply the Policy-Map to the Control-Plane of the
        !--- device
       
        control-plane
         service-policy input drop-DLSw-traffic
    请注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同:
    policy-map drop-DLSw-traffic
         class drop-DLSw-class
          police 32000 1500 1500 conform-action drop exceed-action drop
    厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20080326-dlsw)以及相应补丁: cisco-sa-20080326-dlsw:Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS 链接:http://www.cisco.com/warp/public/707/cisco-sa-20080326-dlsw.shtml


    来源:https://www.jb51.net/hack/5411.html
    免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!

    最新评论

    浏览过的版块

    QQ Archiver 手机版 小黑屋 福建二哥 ( 闽ICP备2022004717号|闽公网安备35052402000345号 )

    Powered by Discuz! X3.5 © 2001-2023

    快速回复 返回顶部 返回列表