安全研究
安全漏洞
Cisco IOS多个功能IP套接字拒绝服务漏洞
发布日期:2009-03-25
更新日期:2009-03-30
受影响系统:
Cisco IOS 12.4描述:
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
BUGTRAQ ID: 34242
CVE(CAN) ID: CVE-2009-0630
Cisco IOS是思科网络设备所使用的互联网操作系统。
如果运行以下功能之一,运行受影响的Cisco IOS软件和Cisco IOS XE软件版本的设备在处理IP套接字时受拒绝服务攻击的影响:
* Cisco Unified Communications Manager Express
* TLS传输上的SIP网关信令支持
* 安全信令和媒体加密
* 块可扩展交换协议(BEEP)
* 网络准入控制HTTP认证代理
* EAPoUDP、Dot1x和MAB的每用户URL重新定向
* 启用了HTTP重新定向的分布式定向器
* DNS(仅限TCP模式)
远程攻击者可以通过发送特制的TCP/IP报文序列导致以下结果之一:
* 配置的功能可能停止接受新的连接或会话
* 耗尽设备内存
* 设备经历长时间的高CPU使用率
* 设备可能重载
<*来源:Jens Link
链接:http://secunia.com/advisories/34438/
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
*>
建议:
临时解决方法:
* 应用以下基础架构ACL(iACL)
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: Cisco Unified Communications Manager Express
!---
!--- CAPF server configuration
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3804
!---
!--- Telephony-Service configuration
!--- The TCP port is as per the ip source-address
!--- <ip-address> port <port-number> telephony
!--- service configuration command. Example below 2999
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2999
!---
!--- Deny Cisco Unified Communications Manager Express traffic
!--- from all other sources destined to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3804
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2999
!---
!--- Feature: SIP Gateway Signaling Support Over TLS Transport
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 5061
!--- Deny SIP Gateway Signaling Support Over TLS Transport
!--- traffic from all other sources destined to infrastructure
!--- addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 5061
!---
!--- Feature: Secure Signaling and Media Encryption
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2443
!--- Deny Secure Signaling and Media Encryption traffic from all
!--- other sources destined to infrastructure addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2443
!---
!--- Feature: Blocks Extensible Exchange Protocol (BEEP)
!--- The TCP port used is defined with the netconf beep initiator
!--- and netconf beep listener configuration
!--- commands. This example uses 3001
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3001
!--- Deny BEEP traffic from all other sources destined to
!--- infrastructure addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 3001
!---
!--- Feature: Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 80
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 443
!---
!--- Deny Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic to infrastructue
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 80
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 443
!---
!--- Features: Distributed Director with HTTP Redirects and DNS
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 53
!--- Deny Distributed Director with HTTP Redirects traffic and DNS
!--- from all other sources destined to infrastructure addresses.
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 53
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
!--- Apply access-list to all interfaces (only one example shown)
interface serial 2/0
ip access-group 150 in
* 应用以下接收ACL(rACL):
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Feature: Cisco Unified Communications Manager Express
!---
!---
!---
!--- Permit CAPF server traffic from trusted hosts allowed to
!--- the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3804
!---
!--- Telephony-Service configuration
!---
!---
!--- The TCP port is as per the ip source-address
!--- <address> port <port-number> telephony-service
!--- configuration command. Example below 2999
!---
!--- Permit Telephony-Service traffic from trusted hosts allowed
!--- to the RP.
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2999
!---
!--- Deny Cisco Unified Communications Manager Express
!--- traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 3804
access-list 150 deny tcp any any eq 2999
!---
!--- Permit SIP Gateway Signaling Support Over TLS Transport
!--- traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 5061
!---
!--- Deny SIP Gateway Signaling Support Over TLS Transport
!--- traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 5061
!---
!--- Permit Secure Signaling and Media Encryption traffic
!--- from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2443
!---
!--- Deny Secure Signaling and Media Encryption traffic from
!--- all other sources to the RP.
!---
access-list 150 deny tcp any any eq 2443
!---
!--- Feature: Blocks Extensible Exchange Protocol (BEEP)
!--- The TCP port used is defined with the netconf beep initiator
!--- and netconf beep listener configuration commands.
!--- This example uses 3001
!---
!---
!--- Permit BEEP traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3001
!---
!--- Deny BEEP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 3001
!---
!--- Feature: Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass
!---
!---
!--- Permit Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic from trusted hosts allowed to
!--- the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 80
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 443
!---
!--- Deny Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic from all other sources to
!--- the RP.
!---
access-list 150 deny tcp any any eq 80
access-list 150 deny tcp any any eq 443
!---
!--- Features: Distributed Director with HTTP Redirects and DNS
!---
!---
!--- Permit Distribute Director and DNS traffic from trusted hosts
!--- allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 53
!---
!--- Deny distributed director and DNS traffic from all other
!--- sources to the RP.
!---
access-list 150 deny tcp any any eq 53
!---
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
!---
access-list 150 permit ip any any
!---
!--- Apply this access list to the 'receive' path.
!---
ip receive access-list 150
* 应用以下控制面整型(CoPP)
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: Cisco Unified Communications Manager Express
!---
!--- CAPF Server configuration
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3804
!---
!--- Telephony-Service configuration
!--- The TCP port is as per the ip source-address
!--- <address> port <port-number> telephony-service
!--- configuration command. Example below 2999
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2999
!---
!--- Permit Cisco Unified Communications Manager Express traffic
!--- sent to all IP addresses configured on all interfaces of
!--- the affected device so that it will be policed and dropped
!--- by the CoPP feature
!---
!--- CAPF server configuration
!---
access-list 150 permit tcp any any eq 3804
!---
!--- Telephony-Service configuration
!---
access-list 150 permit tcp any any eq 2999
!---
!--- Feature: SIP Gateway Signaling Support Over TLS Transport
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 5061
!---
!--- Permit SIP Gateway Signaling Support Over TLS Transport
!--- traffic sent to all IP addresses configured on all interfaces
!--- of the affected device so that it will be policed and
!--- dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 5061
!---
!--- Feature: Secure Signaling and Media Encryption
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2443
!---
!--- Permit Secure Signaling and Media Encryption traffic sent to
!--- all IP addresses configured on all interfaces of the affected
!--- device so that it will be policed and dropped by the CoPP
!--- feature
!---
access-list 150 permit tcp any any eq 2443
!---
!--- Feature: Blocks Extensible Exchange Protocol (BEEP)
!--- The TCP port used is defined with the netconf beep initiator
!--- and netconf beep listener configuration commands.
!--- This example uses 3001
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 3001
!---
!--- Permit BEEP traffic sent to all IP addresses configured
!--- on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 3001
!---
!--- Feature: Network Admission Control HTTP Authentication Proxy
!--- and
!--- Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 80
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 443
!---
!--- Permit Network Admission Control HTTP Authentication Proxy
!--- and Per-user URL Redirect for EAP over UDP, Dot1x and MAC
!--- Authentication Bybass traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 80
access-list 150 permit tcp any any eq 443
!---
!--- Features: Distributed Director with HTTP Redirects and DNS
!---
access-list 150 deny tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 53
!---
!--- Permit Distributed Director with HTTP Redirects and DNS
!--- traffic sent to all IP addresses configured on all interfaces
!--- of the affected device so that it will be policed and dropped
!--- by the CoPP feature
!---
access-list 150 permit tcp any any eq 53
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!---
!---
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-tcpip-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map drop-tcpip-traffic
class drop-tcpip-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input drop-tcpip-traffic
在上面的CoPP例子中,匹配攻击报文permit操作的ACL项会导致policy-map的drop功能丢弃这些报文,而匹配deny操作的报文不会受影响。请注意Cisco IOS的12.2S和12.0S系列中policy-map句法有所不同:
policy-map drop-udp-traffic
class drop-udp-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20090325-ip)以及相应补丁:
cisco-sa-20090325-ip:Cisco IOS Software Multiple Features IP Sockets Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
浏览次数:3092
严重程度:0(网友投票)
绿盟科技给您安全的保障