发布日期：2008-09-24
更新日期：2008-09-26

受影响系统：

Cisco IOS 12.4
Cisco IOS 12.3  
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0

描述：

---

BUGTRAQ  ID: 31356
CVE(CAN) ID: CVE-2008-3808,CVE-2008-3809

Cisco IOS是思科网络设备上所使用的互联网操作系统。

运行Cisco IOS软件且配置了协议独立多播（PIM）的设备受特制PIM报文漏洞的影响；此外，运行Cisco IOS软件的Cisco 12000系列（GSR）路由器存在另一个有关特制PIM报文的漏洞。

成功利用这些漏洞可能导致设备重载，反复利用可能导致持续的拒绝服务。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/31990/
        http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml
*>

建议：

---

临时解决方法：

* 指定可信任的PIM邻居：

    Router(config)#access-list 1 permit host 10.10.10.123

    !-- An access control list is created to allow a trusted PIM neighbor
    !-- in this example the neighbor is 10.10.10.123
    !

    Router(config)#interface fastEthernet 0/0
    Router(config-if)#ip pim neighbor-filter 1

    !-- The PIM neighbor filter is then applied to the respective interface(s)

* 如下配置ACL：

    ip access-list extended Infrastructure-ACL-Policy

     !
     !-- When applicable, include explicit permit statements for trusted
     !-- sources that require access on the vulnerable protocol
     !-- PIM routers need to communicate with the rendezvous point (RP).
     !-- In this example, 192.168.100.1 is the IP address of the
     !-- rendezvous point, which is a trusted host that requires access
     !-- to and from the affected PIM devices.
     !

     permit pim host 192.168.100.1 192.168.60.0 0.0.0.255
     permit pim 192.168.60.0 0.0.0.255 host 192.168.100.1

     !
     !-- Permit PIM segment traffic, packets have destination of:
     !-- 224.0.0.13 (PIMv2)
     !-- 224.0.0.2  (Required only by legacy PIMv1)
     !

     permit pim 192.168.60.0 0.0.0.255 host 224.0.0.13
     permit pim 192.168.60.0 0.0.0.255 host 224.0.0.2

     !
     !-- The following vulnerability-specific access control entries
     !-- (ACEs) can aid in identification of attacks
     !

     deny pim any 192.168.60.0 0.0.0.255

     !
     !-- Explicit deny ACE for traffic sent to addresses configured within
     !-- the infrastructure address space
     !

     deny ip any 192.168.60.0 0.0.0.255

     !
     !-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
     !-- with existing security policies and configurations
     !
     !-- Apply iACL to interfaces in the ingress direction
     !

    interface GigabitEthernet0/0
     ip access-group Infrastructure-ACL-Policy in

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20080924-multicast）以及相应补丁:
cisco-sa-20080924-multicast：Multiple Multicast Vulnerabilities in Cisco IOS Software
链接：http://www.cisco.com/warp/public/707/cisco-sa-20080924-multicast.shtml

浏览次数：2910
严重程度：0（网友投票）