User guide

ManualsBrandsCisco ManualsComputer equipment2525 - 2525 TR Router

Release Notes for Cisco 2500 Series for Cisco IOS Release 12.0 T

78-5563-07 Rev.H0

Important Notes

Give the URL of this notice (http://www.cisco.com/warp/public/770/iossyslog-pub.shtml) as evidence

for a free update. Non-contract customers must request free updates through the TAC. Please do not

contact either “psirt@cisco.com” or “security-alert@cisco.com” for software updates.

Workarounds

You can work around this vulnerability by preventing any affected Cisco IOS device from receiving or

processing UDP datagrams addressed to its port 514. This can be done either by using packet filtering

on surrounding devices, or by using input access list filtering on the affected IOS device itself.

If you use an input access list, apply that list to all interfaces to which attackers may be able to send

datagrams. Interfaces include not only physical LAN and WAN interfaces but also virtual subinterfaces

of those physical interfaces, as well as virtual interfaces and interface templates corresponding to GRE,

L2TP, L2F, and other tunneling protocols.

The input access list must block traffic destined for UDP port 514 at any of the Cisco IOS device’s own

IP addresses, as well as at any broadcast or multicast addresses on which the Cisco IOS device may be

listening. Be sure to block both old-style “all-zeros” broadcasts and new-style “all-ones” broadcasts. It

is not necessary to block traffic being forwarded to other hosts—only traffic actually addressed to the

Cisco IOS device is of interest.

No single input access list works in all configurations. Know the effect of your access list in your

specific configuration before activating it.

The following example shows a possible access list for a three-interface router, along with the

configuration commands needed to apply the list. The example assumes input filtering is not needed,

other than as a workaround for this problem:

! Deny all multicasts, and all unspecified-net broadcasts, to port 514

access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514

! Deny old-style unspecified-net broadcasts

access-list 101 deny udp any host 0.0.0.0 eq 514

! Deny network-specific broadcasts. This example assumes that all of

! the local interfaces are on the class B network 172.16.0.0, subnetted

! everywhere with mask 255.255.255.0. This will differ from network

! to network. Note that we block both new-style and old-style broadcasts.

access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514

access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514

! Deny packets sent to the addresses of our own network interfaces.

access-list 101 deny udp any host 172.16.1.1 eq 514

access-list 101 deny udp any host 172.16.2.1 eq 514

access-list 101 deny udp any host 172.16.3.3 eq 514

! Permit all other traffic (default would be to deny)

access-list 101 permit ip any any

! Apply the access list to the input side of each interface

interface ethernet 0

ip address 172.16.1.1 255.255.255.0

ip access-group 101 in

interface ethernet 2

ip address 172.16.2.1 255.255.255.0

ip access-group 101 in

interface ethernet 3

ip address 172.16.3.3 255.255.255.0

ip access-group 101 in