Cisco Cisco IOS Software Release 12.2(33)SRE
702
Caveats for Cisco IOS Release 12.2(33)SRC through 12.2(33)SRC6
OL-10394-05 Rev. R0
•
•
•
•
•
Resolved Caveats—Cisco IOS Release 12.2(33)SRC6
Cisco IOS Release 12.2(33)SRC6 is a rebuild release for Cisco IOS Release 12.2(33)SRC. The caveats
in this section are resolved in Cisco IOS Release 12.2(33)SRC6 but may be open in previous Cisco IOS
releases.
in this section are resolved in Cisco IOS Release 12.2(33)SRC6 but may be open in previous Cisco IOS
releases.
•
CSCsz71787
Symptoms: A router crashes when it is configured with DLSw.
Conditions: A vulnerability exists in Cisco IOS software when processing UDP and IP protocol 91
packets. This vulnerability does not affect TCP packet processing. A successful exploitation may
result in a reload of the system, leading to a denial of service (DoS) condition.
packets. This vulnerability does not affect TCP packet processing. A successful exploitation may
result in a reload of the system, leading to a denial of service (DoS) condition.
Cisco IOS devices that are configured for DLSw with the dlsw local- peer automatically listen for
IP protocol 91 packets. A Cisco IOS device that is configured for DLSw with the dlsw local-peer
peer-id IP- address command listen for IP protocol 91 packets and UDP port 2067.
IP protocol 91 packets. A Cisco IOS device that is configured for DLSw with the dlsw local-peer
peer-id IP- address command listen for IP protocol 91 packets and UDP port 2067.
Cisco IOS devices listen to IP protocol 91 packets when DLSw is configured. However, it is only
used if DLSw is configured for Fast Sequenced Transport (FST). A DLSw FST peer configuration
will contain the following line:
used if DLSw is configured for Fast Sequenced Transport (FST). A DLSw FST peer configuration
will contain the following line:
dlsw remote-peer 0 fst ip-address
It is possible to disable UDP processing in DLSw with the dlsw udp-disable command. However,
disabling UDP only prevents the sending of UDP packets; it does not prevent the device from
receiving and processing incoming UDP packets.
disabling UDP only prevents the sending of UDP packets; it does not prevent the device from
receiving and processing incoming UDP packets.
Workaround: The workaround consists of filtering UDP packets to port 2067 and IP protocol 91
packets. Filters can be applied at network boundaries to filter all IP protocol 91 packets and UDP
packets to port 2067, or filters can be applied on individual affected devices to permit such traffic
only from trusted peer IP addresses. However, since both of the protocols are connectionless, it is
possible for an attacker to spoof malformed packets from legitimate peer IP addresses.
packets. Filters can be applied at network boundaries to filter all IP protocol 91 packets and UDP
packets to port 2067, or filters can be applied on individual affected devices to permit such traffic
only from trusted peer IP addresses. However, since both of the protocols are connectionless, it is
possible for an attacker to spoof malformed packets from legitimate peer IP addresses.
As soon as DLSw is configured, the Cisco IOS device begins listening on IP protocol 91. However,
this protocol is used only if DLSw is configured for Fast Sequenced Transport (FST). A DLSw FST
peer configuration will contain the following line:
this protocol is used only if DLSw is configured for Fast Sequenced Transport (FST). A DLSw FST
peer configuration will contain the following line:
dlsw remote-peer 0 fst ip-address
If FST is used, filtering IP protocol 91 will break the operation, so filters need to permit protocol 91
traffic from legitimate peer IP addresses.
traffic from legitimate peer IP addresses.
It is possible to disable UDP processing in DLSw with the dlsw udp-disable command. However,
disabling UDP only prevents the sending of UDP packets; it does not prevent the receiving and
processing of incoming UDP packets. To protect a vulnerable device from malicious packets via
UDP port 2067, both of the following actions must be taken:
disabling UDP only prevents the sending of UDP packets; it does not prevent the receiving and
processing of incoming UDP packets. To protect a vulnerable device from malicious packets via
UDP port 2067, both of the following actions must be taken:
1.
Disable UDP outgoing packets with the dlsw udp-disable command.
2.
Filter UDP 2067 in the vulnerable device using infrastructure ACL.
* Using Control Plane Policing on Affected Devices