安全研究
安全漏洞
Cisco IOS语音服务多个协议处理拒绝服务及代码执行漏洞
发布日期:2007-08-08
更新日期:2007-08-10
受影响系统:
Cisco IOS 12.4描述:
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
Cisco Unified Communications Manager 6.0
Cisco Unified Communications Manager 5.1
Cisco Unified Communications Manager 5.0
BUGTRAQ ID: 25239
Cisco IOS是Cisco网络设备中所使用的操作系统。
Cisco IOS在处理各类协议报文时存在漏洞,远程攻击者可能利用这些漏洞导致设备不可用。
如果向运行Cisco IOS或Cisco Unified Communications Manager的网络设备发送了畸形的SIP报文的话,就可能导致拒绝服务或执行任意代码;此外如果运行Cisco IOS的网络设备接收到了畸形的MGCP报文、H.323报文、RTP报文,或在接收传真时收到了很大的报文,都可能导致服务崩溃或路由器挂起。
<*来源:Cisco安全公告
链接:http://secunia.com/advisories/26363/
http://secunia.com/advisories/26362/
http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
*>
建议:
临时解决方法:
* 应用以下基础架构ACL(iACL):
!-- Permit SIP, MGCP, H.323 and RTP services from trusted hosts destined
!-- to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 5060
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 5061
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 5060
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 5061
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 2427
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 1720
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 11720
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
eq 2517
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK
range 16384 32767
!-- Deny SIP, MGCP, H.323 and RTP packets from all other sources destined
!-- to infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5060
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5061
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5060
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5061
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2427
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 1720
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 11720
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2517
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK
range 16384 32767
!-- Permit all other traffic to transit the device.
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
* 应用以下控制面整型(CoPP):
!-- Deny SIP, MGCP, H.323 and RTP traffic from trusted hosts to all
!-- IP addresses configured on all interfaces of the affected device
!-- so that it will be allowed by the CoPP feature.
access-list 111 deny tcp host 192.168.100.1 any eq 5060
access-list 111 deny tcp host 192.168.100.1 any eq 5061
access-list 111 deny udp host 192.168.100.1 any eq 5060
access-list 111 deny udp host 192.168.100.1 any eq 5061
access-list 111 deny udp host 192.168.100.1 any eq 2427
access-list 111 deny tcp host 192.168.100.1 any eq 1720
access-list 111 deny tcp host 192.168.100.1 any eq 11720
access-list 111 deny udp host 192.168.100.1 any eq 2517
access-list 111 deny udp host 192.168.100.1 any range 16384 32767
!-- Permit all other SIP, MGCP, H.323 and RTP traffic sent to all
!-- IP addresses configured on all interfaces of the affected device
!-- so that it will be policed and dropped by the CoPP feature.
access-list 111 permit tcp any any eq 5060
access-list 111 permit tcp any any eq 5061
access-list 111 permit udp any any eq 5060
access-list 111 permit udp any any eq 5061
access-list 111 permit udp any any eq 2427
access-list 111 permit tcp any any eq 1720
access-list 111 permit tcp any any eq 11720
access-list 111 permit udp any any eq 2517
access-list 111 permit udp any any range 16384 32767
!-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-voice-class
match access-group 111
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map drop-voice-traffic
class drop-voice-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input drop-voice-traffic
请注意在Cisco IOS的12.2S 和12.0S软件系列中policy-map句法有所不同:
policy-map drop-voice-traffic
class drop-voice-class
police 32000 1500 1500 conform-action drop exceed-action drop
* 禁止路由器处理SIP报文:
Router(config)#sip-ua
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#no transport tcp
Router(config-sip-ua)#end
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20070808-IOS-voice)以及相应补丁:
cisco-sa-20070808-IOS-voice:Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager
链接:http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml
浏览次数:3664
严重程度:0(网友投票)
绿盟科技给您安全的保障