绿盟安全月刊->第29期->最新漏洞 Cisco IOS Cisco Express Forwarding模式会话信息泄露漏洞

日期：2002-03-18

更新日期: 2002-3-4
受影响的系统:  
Cisco IOS 12.2T
Cisco IOS 12.2
Cisco IOS 12.1T
Cisco IOS 12.1E
Cisco IOS 12.1
Cisco IOS 12.0T
Cisco IOS 12.0ST
Cisco IOS 12.0
Cisco IOS 11.1CC

描述:


BUGTRAQ  ID: 4191

IOS（Internet Operating System）是广泛用于Cisco路由器的操作系统，由Cisco公司开发和维护。

某些版本的IOS在Cisco Express Forwarding（CEF）实现上存在漏洞，可能导致转发数据包信息泄露。

当Cisco路由器处于Cisco Express Forwarding（CEF）模式时，如果路由器收到的数据包其IP头里指明的长度大于包的物理长度时，这样的包会被扩展长度到到IP包头指定的值，当扩展之时，用于扩展的数据来自内存中存储的之前转发过的数据，从而导致了信息的泄露。

攻击者无法指定所要获取的信息内容，这减少了获取敏感信息的可能性。

<*来源：Cisco Security Advisory
  
  链接：http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml
*>


--------------------------------------------------------------------------------
建议:

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 在漏洞修补之前，在路由器上禁止使用Cisco Express Forwarding模式。

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（Cisco-IOS-CEF-pub）以及相应补丁:
Cisco-IOS-CEF-pub：Data Leak with Cisco Express Forwarding Enabled
链接：http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml

下面是受影响版本的补丁状态表：
+------------------------------------------------------------------------+
| Train  | Description of Image  |    Availability of Fixed Releases*    |
|        |      or Platform      |                                       |
|--------------------------------+---------------------------------------|
|      11.1-based Releases       | Rebuild  |  Interim**   | Maintenance |
|--------------------------------+----------+--------------+-------------|
| 11.1CC | ED release for 7000   | 11.1(36) |              |             |
|        | series                | CC3      |              |             |
|--------------------------------+----------+--------------+-------------|
|      12.0-based Releases       | Rebuild  |  Interim**   | Maintenance |
|--------------------------------+----------+--------------+-------------|
|  12.0  | GD release for all    |          | 12.0(20.4)   |             |
|        | platforms             |          |              |             |
|--------+-----------------------+----------+--------------+-------------|
| 12.0S  | ED release for all    | 12.0(17) | 12.0(18.3)S  | 12.0(19)S   |
|        | platforms             | ST4      |              |             |
|--------+-----------------------+----------+--------------+-------------|
| 12.0ST | ED release for all    |          | 12.0(18.3)ST | 12.0(19)ST  |
|        | platforms             |          |              |             |
|--------+-----------------------+---------------------------------------|
| 12.0T  | ED release for all    | To be decided                         |
|        | platforms             |                                       |
|--------+-----------------------+---------------------------------------|
| 12.0W5 | ED release for all    |          | 12.0(20.4)W5 |             |
|        | platforms             |          | (24.7)       |             |
|--------------------------------+----------+--------------+-------------|
|      12.1-based Releases       | Rebuild  |  Interim**   | Maintenance |
|--------------------------------+----------+--------------+-------------|
|  12.1  | LD release for all    |          | 12.1(9.2)    | 12.1(10)    |
|        | platforms             |          |              |             |
|--------+-----------------------+----------+--------------+-------------|
| 12.1E  | ED release for all    | 12.1     | 12.1(9.5)E   | 12.1(8a)E   |
|        | platforms             | (8.5)E2  |              |             |
|--------+-----------------------+----------+--------------+-------------|
| 12.1EC | ED release for all    | 12.1     | 12.1(9.5)EC  |             |
|        | platforms             | (7.5)EC1 |              |             |
|--------+-----------------------+---------------------------------------|
| 12.1T  | ED release for all    | To be decided                         |
|        | platforms             |                                       |
|--------+-----------------------+---------------------------------------|
| 12.1XM | ED release for all    | 12.1(5)  |              |             |
|        | platforms             | XM6      |              |             |
|--------------------------------+----------+--------------+-------------|
|      12.2-based Releases       | Rebuild  |  Interim**   | Maintenance |
|--------------------------------+----------+--------------+-------------|
|  12.2  | LD release for all    |          | 12.2(2.5)    | 12.2(3)     |
|        | platforms             |          |              |             |
|--------+-----------------------+----------+--------------+-------------|
| 12.2S  | LD release for all    |          | 12.2(3.3)S   |             |
|        | platforms             |          |              |             |
|--------+-----------------------+----------+--------------+-------------|
| 12.2T  | ED release for all    |          | 12.2(2.4)T   | 12.2(4)T    |
|        | platforms             |          |              |             |
+------------------------------------------------------------------------+


索取已修复的软件
================

   Cisco为所有受影响用户免费提供用于消除这一漏洞的软件升级。

   签约用户可从正常更新渠道获取升级软件。对大多数用户来说，可通过Cisco
   网站软件中心获取升级软件：http://www.cisco.com。

   事先或目前与第三方支持组织，如Cisco合作伙伴、授权零售商或服务商之间已
   有协议，由第三方组织提供Cisco产品或技术支持的用户可免费获得升级支持。

   直接从Cisco购买产品但没有Cisco服务合同的用户和由第三方厂商购买产品但无法
   从销售方获得已修复软件的用户可从Cisco技术支持中心(TAC)获取升级软件。TAC
   联系方法：

     * +1 800 553 2447 (北美地区免话费)
     * +1 408 526 7209 (全球收费)
     * e-mail: tac@cisco.com