发布日期：2009-03-25
更新日期：2009-03-30

受影响系统：

Cisco IOS 12.4
Cisco IOS 12.3  
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0

描述：

---

BUGTRAQ  ID: 34245
CVE(CAN) ID: CVE-2009-0631

Cisco IOS是思科网络设备所使用的互联网操作系统。

如果运行任意以下功能，则运行受影响Cisco IOS软件和Cisco IOS XE软件版本的设备受拒绝服务漏洞的影响：

  * IP服务品质协议（SLA）响应器
  * 会话初始协议（SIP）
  * H.323 Annex E呼叫信令传输
  * 媒体网关控制协议（MGCP）

远程攻击者可以通过发送畸形的UDP报文导致阻断入站接口，在不被注意的情况下丢弃任何接收到的通讯，必须重载设备才能恢复正常功能。仅有发送给设备的特制UDP报文才会导致阻断接口，中间通讯不会阻断接口。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/34438/
        http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
*>

建议：

---

临时解决方法：

* 禁用受影响的监听端口

    Enter configuration commands, one per line.  End with CNTL/Z.
    Router(config)#sip-ua
    Router(config-sip-ua)#no transport udp
    Router(config-sip-ua)#end

对于SIP，可使用以下命令将进程绑定到私有地址。这会导致SIP仅监听内部接口，帮助限制暴露这个漏洞：

    voice service voip
     sip
      bind control source-interface <int>
      bind media source-interface <int>

* 应用以下基础架构ACL（iACL）
  
    !--- Only sections pertaining to features enabled on the device
    !--- need be configured.
    !---
    !---
    !--- Feature: IP SLAs UDP Responder
    !---

    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        INFRASTRUCTURE_ADDRESSES WILDCARD eq 1967

    !--- Deny IP SLAs UDP Responder traffic from all other sources
    !--- destined to infrastructure addresses.

    access-list 150 deny udp any
         INFRASTRUCTURE_ADDRESSES WILDCARD eq 1967

    !---
    !--- Feature: Session Initiation Protocol (SIP)
    !---

    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
         INFRASTRUCTURE_ADDRESSES WILDCARD eq 5060

    !--- Deny SIP traffic from all other sources destined
    !--- to infrastructure addresses.

    access-list 150 deny udp any
         INFRASTRUCTURE_ADDRESSES WILDCARD eq 5060

    !---
    !--- Feature: H.323 Call Signaling
    !---

    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
         INFRASTRUCTURE_ADDRESSES WILDCARD eq 2517

    !--- Deny H.323 Call Signaling traffic from all other sources
    !--- destined to infrastructure addresses.

    access-list 150 deny udp any
         INFRASTRUCTURE_ADDRESSES WILDCARD eq 2517

    !---
    !--- Feature: Media Gateway Control Protocol (MGCP)
    !---

    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        INFRASTRUCTURE_ADDRESSES WILDCARD eq 2427

    !--- Deny MGCP traffic from all other sources destined
    !--- to infrastructure addresses.

    access-list 150 deny udp any
         INFRASTRUCTURE_ADDRESSES WILDCARD eq 2427

    !--- Permit/deny all other Layer 3 and Layer 4 traffic in
    !--- accordance with existing security policies and
    !--- configurations.  Permit all other traffic to transit the
    !--- device.

    access-list 150 permit ip any any

    !--- Apply access-list to all interfaces (only one example
    !--- shown)

    interface serial 2/0
     ip access-group 150 in
    
* 应用以下控制面整型（CoPP）

    !---
    !--- Only sections pertaining to features enabled on the device
    !--- need be configured.
    !---

    !---
    !--- Feature: IP SLAs UDP Responder
    !---

    access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
         any eq 1967

    !---
    !--- Deny IP SLAs UDP Responder traffic from all other sources
    !--- destined to the device control plane.
    !---

    access-list 150 permit udp any any eq 1967

    !---
    !--- Feature: Session Initiation Protocol (SIP)
    !---

    access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        any eq 5060

    !---
    !--- Deny SIP traffic from all other sources destined
    !--- to the device control plane.
    !---

    access-list 150 permit udp any any eq 5060

    !---
    !--- Feature: H.323 Call Signaling
    !---

    access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        any eq 2517

    !---
    !--- Deny H.323 call signaling traffic from all other sources
    !--- destined to the device control plane.
    !---

    access-list 150 permit udp any any eq 2517

    !---
    !--- Feature: Media Gateway Control Protocol (MGCP)
    !---

    access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
         any eq 2427

    !---
    !--- Deny MGCP traffic from all other sources destined
    !--- to the device control plane.
    !---

    access-list 150 permit udp any any eq 2427

    !---
    !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
    !--- Layer4 traffic in accordance with existing security policies
    !--- and configurations for traffic that is authorized to be sent
    !--- to infrastructure devices
    !--- Create a Class-Map for traffic to be policed by
    !--- the CoPP feature
    !---

    class-map match-all drop-udp-class
     match access-group 150

    !---
    !--- Create a Policy-Map that will be applied to the
    !--- Control-Plane of the device.
    !---

    policy-map drop-udp-traffic
     class drop-udp-class
      drop

    !---
    !--- Apply the Policy-Map to the
    !--- Control-Plane of the device
    !---

    control-plane
     service-policy input drop-udp-traffic

在上面的CoPP例子中，匹配攻击报文permit操作的ACL项会导致policy-map的drop功能丢弃这些报文，而匹配deny操作的报文不会受影响。请注意Cisco IOS的12.2S和12.0S系列中policy-map句法有所不同：

    policy-map drop-udp-traffic
    class drop-udp-class
    police 32000 1500 1500 conform-action drop exceed-action drop

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20090325-udp）以及相应补丁:
cisco-sa-20090325-udp：Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
链接：http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml

浏览次数：2997
严重程度：0（网友投票）