安全研究
安全漏洞
CISCO IOS NHRP远程缓冲区溢出漏洞
发布日期:2007-08-08
更新日期:2007-08-09
受影响系统:
Cisco IOS 12.4描述:
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
BUGTRAQ ID: 25238
Cisco IOS是Cisco网络设备中所使用的操作系统。
Cisco IOS中的Cisco下一跳解析协议(NHRP)功能中存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制设备或对设备造成拒绝服务。
如果向运行配置了NHRP功能的IOS的Cisco设备发送了畸形报文的话,就可以触发这个溢出,导致拒绝服务或执行任意指令。
<*来源:Martin Kluge
链接:http://secunia.com/advisories/26360/
http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
建议:
临时解决方法:
* 应用以下基础架构ACL(iACL):
!--- Permit NHRP/GRE services from trusted hosts destined
!--- to infrastructure addresses.
access-list 150 permit 47 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
access-list 150 permit 54 TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
!--- Deny NHRP/GRE packets from all other sources destined
!--- to infrastructure addresses.
access-list 150 deny 47 any INFRASTRUCTURE_ADDRESSES MASK
access-list 150 deny 54 any INFRASTRUCTURE_ADDRESSES MASK
!--- Permit all other traffic to transit the device.
access-list 150 permit IP any any
interface serial 2/0
ip access-group 150 in
* 应用以下控制面整型(CoPP):
!--- Deny NHRP (IP protocol number 54) and GRE (IP protocol number 47)
!--- traffic from trusted hosts to all IP addresses configured
!--- on all interfaces of the affected device so that it will
!--- be allowed by the CoPP feature.
!
access-list 111 deny 54 TRUSTED_ADDRESSES MASK any
access-list 111 deny 47 TRUSTED_ADDRESSES MASK any
!
!--- Permit all other NHRP (IP protocol number 54) and GRE (IP protocol
!--- number 47) traffic sent to all IP addresses configured on
!--- all interfaces of the affected device so that it will be
!--- policed and dropped by the CoPP feature.
!
access-list 111 permit 54 any any
access-list 111 permit 47 any any
!
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3
!--- and Layer4 traffic in accordance with existing security
!--- policies and configurations for traffic that is authorized
!--- to be sent to infrastructure devices.
!
!--- Create a class map for traffic to be policed by the CoPP
!--- feature.
!
class-map match-all drop-NHRP-class
match access-group 111
!
!--- Create a policy map that will be applied to the control plane
!--- of the affected device.
!
policy-map drop-NHRP-traffic
class drop-NHRP-class
drop
!
!--- Apply the policy map to the control plane of the device
!--- device.
!
control-plane
service-policy input drop-NHRP-traffic
!
请注意在Cisco IOS的12.2S 和12.0S软件系列中policy-map句法有所不同:
policy-map drop-NHRP-traffic
class drop-NHRP-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20070808-nhrp)以及相应补丁:
cisco-sa-20070808-nhrp:Cisco IOS Next Hop Resolution Protocol Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20070808-nhrp.shtml
浏览次数:3741
严重程度:0(网友投票)
绿盟科技给您安全的保障