发布日期：2009-03-25
更新日期：2009-03-27

受影响系统：

Cisco IOS 12.4
Cisco IOS 12.3

描述：

---

BUGTRAQ  ID: 34241
CVE(CAN) ID: CVE-2009-0633,CVE-2009-0634

Cisco IOS是思科网络设备所使用的互联网操作系统。

移动IP是IPv4和IPv6标准的一部分，允许通过单个IP地址识别主机设备。无论在不同网络之间如何移动，仍无需用户交互便可无缝的实现在不同点的连接。

运行受影响Cisco IOS软件版本且配置了移动IPv6或移动IP NAT遍历功能的设备受拒绝服务漏洞影响，成功利用这个漏洞可导致接口停止处理通讯，直到重启系统。攻击报文必须明确发送给路由器而不是中间报文的情况下才可以成功利用这个漏洞。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/34438/
        http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
*>

建议：

---

临时解决方法：

* 应用以下基础架构ACL（iACL）
  
   IPv4示例：

    !--- Anti-spoofing entries are shown here.

    !--- Deny special-use address sources.
    !--- Refer to RFC 3330 for additional special use addresses.

    access-list 110 deny ip host 0.0.0.0 any
    access-list 110 deny ip 127.0.0.0 0.255.255.255 any
    access-list 110 deny ip 192.0.2.0 0.0.0.255 any
    access-list 110 deny ip 224.0.0.0 31.255.255.255 any

    !--- Filter RFC 1918 space.

    access-list 110 deny ip 10.0.0.0 0.255.255.255 any
    access-list 110 deny ip 172.16.0.0 0.15.255.255 any
    access-list 110 deny ip 192.168.0.0 0.0.255.255 any

    !--- Deny your space as source from entering your AS.
    !--- Deploy only at the AS edge.

    access-list 110 deny ip YOUR_CIDR_BLOCK any

    !--- Permit BGP.

    access-list 110 permit tcp host bgp_peer host router_ip eq bgp
    access-list 110 permit tcp host bgp_peer eq bgp host router_ip

    !--- Deny access to internal infrastructure addresses.

    access-list 110 deny ip any INTERNAL_INFRASTRUCTURE_ADDRESSES

    !--- Permit transit traffic.

    access-list 110 permit ip any any

   IPv6示例：

    !--- Configure the access-list.

    ipv6 access-list iacl

    !--- Deny your space as source from entering your AS.
    !--- Deploy only at the AS edge.

    deny ipv6 YOUR_CIDR_BLOCK_IPV6 any

    !--- Permit multiprotocol BGP.

    permit tcp host bgp_peer_ipv6 host router_ipv6 eq bgp
    permit tcp host bgp_peer_ipv6 eq bgp host router_ipv6

    !--- Deny access to internal infrastructure addresses.

    deny ipv6 any INTERNAL_INFRASTRUCTURE_ADDRESSES_IPV6

    !--- Permit transit traffic.

    permit ipv6 any any

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20090325-mobileip）以及相应补丁:
cisco-sa-20090325-mobileip：Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
链接：http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml

浏览次数：2780
严重程度：0（网友投票）