安全研究
安全漏洞
Cisco IOS多个功能模块TCP报文拒绝服务漏洞
发布日期:2009-03-25
更新日期:2009-03-26
受影响系统:
Cisco IOS 12.4描述:
Cisco IOS 12.2
BUGTRAQ ID: 34238
CVE(CAN) ID: CVE-2009-0629
Cisco IOS是思科网络设备所使用的互联网操作系统。
如果将Cisco IOS配置为使用任意以下功能之一:
* Airline产品集(ALPS)
* 串口通道代码(STUN)和块串口通道代码(BSTUN)
* 原始客户端接口架构支持(NCIA)
* 数据链路交换(DLSw)
* 远程源路由桥接(RSRB)
* 点到点隧道协议(PPTP)
* 记录边界保留(RBP)的X.25
* TCP上X.25(XOT)
* X.25路由
则完成了相关TCP端口号的三重握手的攻击者可以通过向有漏洞的设备发送畸形TCP报文导致设备重载。
<*来源:Cisco安全公告
链接:http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
*>
建议:
临时解决方法:
* 应用以下基础架构ACL(iACL)
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Deny ALPS TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Feature: STUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Deny STUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Deny BSTUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Feature: NCIA
!---
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Deny DLSW TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Deny RSRB TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Deny PPTP TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Deny RBP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Deny XOT and X25 TCP traffic from all other sources
!--- destined to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!---
!--- Apply access-list to all interfaces (only one example
!--- shown)
!---
interface serial 2/0
ip access-group 150 in
* 应用以下接收ACL(rACL)
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Permit ALPS traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 350
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 10000
!---
!--- Deny ALPS traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 350
access-list 150 deny tcp any any eq 10000
!---
!--- Permit STUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1994
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1990 1992
!---
!--- Deny STUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1994
access-list 150 deny tcp any any eq range 1990 1992
!---
!--- Permit BSTUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1963
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1976 1979
!---
!--- Deny BSTUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1963
access-list 150 deny tcp any any eq range 1976 1979
!---
!--- Permit DLSw from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2065
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2067
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1981 1983
!---
!--- Deny DLSw all other sources to the RP.
!---
access-list 150 deny tcp any any eq 2065
access-list 150 deny tcp any any eq 2067
access-list 150 deny tcp any any range 1981 1983
!---
!--- Permit RSRB traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1996
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1987 1989
!---
!--- Deny RSRB traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1996
access-list 150 deny tcp any any range 1987 1989
!---
!--- Permit PPTP traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1723
!---
!--- Deny PPTP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1723
!---
!--- Permit RBP traffic from trusted hosts allowed to the RP.
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1055
!---
!--- Deny RBP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1055
!---
!--- Permit XOT and X.25 Routing traffic from trusted hosts allowed
!--- to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1998
!---
!--- Deny XOT and X.25 Routing traffic from all other sources to
!--- the RP.
!---
access-list 150 deny tcp any any eq 1998
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
access-list 150 permit ip any any
!--- Apply this access list to the 'receive' path.
ip receive access-list 150
* 应用以下控制面整型(CoPP)
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 350
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 10000
!---
!--- Permit ALPS traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 350
access-list 150 permit tcp any any eq 10000
!---
!--- Feature: STUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1994
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1990 1992
!---
!--- Permit STUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1994
access-list 150 permit tcp any any range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1963
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1976 1979
!---
!--- Permit BSTUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1963
access-list 150 permit tcp any any range 1976 1979
!---
!--- Feature: NCIA
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2065
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2067
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1981 1983
!---
!--- Permit DLSW traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 2065
access-list 150 permit tcp any any eq 2067
access-list 150 permit tcp any any range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1987 1989
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1996
!---
!--- Permit RSRB traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any range 1987 1989
access-list 150 permit tcp any any eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1723
!---
!--- Permit PPTP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1055
!---
!--- Permit RBP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1998
!---
!--- Permit XOT and X25 traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1998
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- configurations for traffic that is authorized to be sent
!--- and to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-tcp-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map drop-tcp-traffic
class drop-tcp-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input drop-tcp-traffic
在上面的CoPP例子中,匹配攻击报文permit操作的ACL项会导致policy-map的drop功能丢弃这些报文,而匹配deny操作的报文不会受影响。请注意在Cisco IOS的12.2S和12.0S系列上policy-map句法有所不同:
policy-map drop-tcp-traffic
class drop-tcp-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20090325-tcp)以及相应补丁:
cisco-sa-20090325-tcp:Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
浏览次数:3151
严重程度:0(网友投票)
绿盟科技给您安全的保障