Cisco 2503 User's Guide download pdf (Page 31)

Release Notes for Cisco 2500 Series for Cisco IOS Release 12.0 T 31

Cisco IOS Syslog Failure

If you have service contracts you can obtain new software through your regular update channels

(generally through Cisco’s World Wide Web site). You can upgrade to any software release, but you

must remain within the boundaries of the feature sets you have purchased.

If you do not have service contracts, you can upgrade to obtain only the bug ﬁxes; free upgrades are

restricted to the minimum upgrade required to resolve the defects. In general, you will be restricted

to upgrading within a single row of Table 7, except when no upgrade within the same row is available

in a timely manner. Obtain updates by contacting one of the following Cisco Technical Assistance

Centers (TACs):

• +1 800 553 2447 (toll-free from within North America)

• +1 408 526 7209 (toll call from anywhere in the world)

Give the URL of this notice (http://www.cisco.com/warp/public/770/iossyslog-pub.shtml) as

evidence for a free update. Non-contract customers must request free updates through the TAC.

Please do not contact either “[email protected]” or “[email protected]” for software updates.

Workarounds

You can work around this vulnerability by preventing any affected Cisco IOS device from receiving

or processing UDP datagrams addressed to its port 514. This can be done either by using packet

ﬁltering on surrounding devices, or by using input access list ﬁltering on the affected IOS device

itself.

If you use an input access list, apply that list to all interfaces to which attackers may be able to send

datagrams. Interfaces include not only physical LAN and WAN interfaces but also virtual

subinterfaces of those physical interfaces, as well as virtual interfaces and interface templates

corresponding to GRE, L2TP, L2F, and other tunneling protocols.

The input access list must block trafﬁc destined for UDP port 514 at any of the Cisco IOS device’s

own IP addresses, as well as at any broadcast or multicast addresses on which the Cisco IOS device

may be listening. Be sure to block both old-style “all-zeros” broadcasts and new-style “all-ones”

broadcasts. It is not necessary to block trafﬁc being forwarded to other hosts—only trafﬁc actually

addressed to the Cisco IOS device is of interest.

No single input access list works in all conﬁgurations. Know the effect of your access list in your

speciﬁc conﬁguration before activating it.

1 2 ... 26 27 28 29 30 31 32 33 34 35 36 ... 41 42

No comments

Cisco 2503 User's Guide Page 31