User guide
32 Release Notes for Cisco 2500 Series for Cisco IOS Release 12.0 T
Important Notes
The following example shows a possible access list for a three-interface router, along with the
configuration commands needed to apply the list. The example assumes input filtering is not needed,
other than as a workaround for this problem:
! Deny all multicasts, and all unspecified-net broadcasts, to port 514
access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
! Deny old-style unspecified-net broadcasts
access-list 101 deny udp any host 0.0.0.0 eq 514
! Deny network-specific broadcasts. This example assumes that all of
! the local interfaces are on the class B network 172.16.0.0, subnetted
! everywhere with mask 255.255.255.0. This will differ from network
! to network. Note that we block both new-style and old-style broadcasts.
access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514
! Deny packets sent to the addresses of our own network interfaces.
access-list 101 deny udp any host 172.16.1.1 eq 514
access-list 101 deny udp any host 172.16.2.1 eq 514
access-list 101 deny udp any host 172.16.3.3 eq 514
! Permit all other traffic (default would be to deny)
access-list 101 permit ip any any
! Apply the access list to the input side of each interface
interface ethernet 0
ip address 172.16.1.1 255.255.255.0
ip access-group 101 in
interface ethernet 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
interface ethernet 3
ip address 172.16.3.3 255.255.255.0
ip access-group 101 in
Listing all possible addresses—especially all possible broadcast addresses—to which attack packets
may be sent is complicated. If you do not need to forward any legitimate syslog traffic received on
an interface, you can block all syslog traffic arriving on that interface. Remember that blocking will
affect traffic routed through the Cisco IOS device as well as traffic destined to the device; if the IOS
device is expected to forward syslog packets, you will have to do the detailed filtering. Because input
access lists impact system performance, install them with caution—especially on systems running
very near their capacity.
Software Versions and Fixes
Many Cisco software images have been or will be specially reissued to correct this vulnerability. For
example, regular released Cisco IOS version 12.0(2) is vulnerable, as are interim versions 12.0(2.1)
through 12.0(2.3). The first fixed interim version of Release12.0 mainline software is
Release12.0(2.4). However, a special release, 12.0(2a), contains only the fix for this vulnerability
and does not include any other bug fixes from later 12.0 interim releases.
If you are running Release 12.0(2) and want to fix this problem without risking possible instability
presented by installing the 12.0(2.4) interim release, you can upgrade to Release 12.0(2a). Release
12.0(2a) is a “code branch” from the Release 12.0(2) base, which will merge back into the
Release 12.0 mainline at Release 12.0(2.4).
Special releases, like 12.0(2a), are one-time, spot fixes, and they will not be maintained. Thus, the
upgrade path from Release 12.0(2a) is to Release 12.0(3).
Table 7 specifies information about affected and repaired software versions.