发布时间 :2001-12-06 00:00:00
修订时间 :2008-09-05 16:25:06

[原文]Cisco 12000 with IOS 12.0 and line cards based on Engine 2 and earlier allows remote attackers to cause a denial of service (CPU consumption) by flooding the router with traffic that generates a large number of ICMP Unreachable replies.

[CNNVD]Cisco 12000系列因特网路由器服务拒绝漏洞(CNNVD-200112-018)

        基于Engine 2的带IOS 12.0和线路卡的Cisco 12000及其早期版本存在漏洞。远程攻击者通过flooding交通路由器产生大量ICMP不能达到的回复导致服务拒绝(CPU消耗)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5769Cisco 12000 Series Internet Router Denial Of Service Vulnerability

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  CISCO  20011114 ICMP Unreachable Vulnerability in Cisco 12000 Series Internet Router
(UNKNOWN)  XF  cisco-icmp-unreachable-dos(7536)
(UNKNOWN)  BID  3534

- 漏洞信息

Cisco 12000系列因特网路由器服务拒绝漏洞
中危 其他
2001-12-06 00:00:00 2005-05-02 00:00:00
        基于Engine 2的带IOS 12.0和线路卡的Cisco 12000及其早期版本存在漏洞。远程攻击者通过flooding交通路由器产生大量ICMP不能达到的回复导致服务拒绝(CPU消耗)。

- 公告与补丁

        Cisco has released a number of upgrades for this issue.
        Cisco IOS 12.0(17)S and Cisco IOS 12.0(17)ST correspond to Vulnerability CSCdr46528 and Vulnerability CSCdt66560.
        Cisco IOS 12.0(15)S, Cisco IOS 12.0(15)SC and Cisco IOS 12.0(14.3)ST correspond to Vulnerability CSCds36541.
        Cisco IOS 12.0 S

  •         Cisco IOS 12.0(15)S


  •         Cisco IOS 12.0(17)S


        Cisco IOS 12.0 ST

  •         Cisco IOS 12.0(14.3)ST


  •         Cisco IOS 12.0(17)ST


        Cisco IOS 12.0 SC

  •         Cisco IOS 12.0(15)SC


- 漏洞信息

Cisco 12000 Series Router ICMP Unreachable DoS
Denial of Service
Loss of Availability

- 漏洞描述

Cisco IOS on 12000 series routers contains a flaw that may allow a remote denial of service. The issue is triggered when the router is flooded with packets which generate ICMP Unreachable responses, and will result in loss of availability for the platform.

- 时间线

2001-11-14 2001-11-14
Unknow Unknow

- 解决方案

Upgrade to version indicated in Cisco product matrix, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): There are two workarounds for this issue. The first one is to prevent the router from sending ICMP unreachables at all. That behavior is governed with the no ip unreachables command. This command should be applied on an interface, such as in this example: router(config)#interface ethernet 0 router(config-if)#no ip unreachables It is possible to mitigate the problem by rate limiting number of ICMP unreachables packets that are sent. Here is the example: router(config)#ip icmp rate-limit unreachable n Where n is the number of milliseconds between two consecutive ICMP unreachable packets. The default value is 500. That means that one ICMP unreachable packet is send every 500 ms.

- 相关参考

- 漏洞作者

Unknown or Incomplete