发布日期：2009-09-23
更新日期：2009-09-27

受影响系统：

Cisco IOS 12.4
Cisco IOS 12.3

描述：

---

BUGTRAQ  ID: 36499
CVE ID: CVE-2009-2870

Cisco IOS是思科网络设备所使用的互联网操作系统。

如果设备运行的Cisco IOS镜像中包含有Cisco Unified Border Element功能，则Cisco IOS软件的SIP实现中存在拒绝服务漏洞。处理一系列特制的SIP消息会导致设备重载。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/36835/
        http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml
*>

建议：

---

临时解决方法：

* 禁用SIP监听端口

    sip-ua
     no transport udp
     no transport tcp
     no transport tcp tls

* 部署以下控制面整型（CoPP）
      
    !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
    !-- Everything else is not trusted. The following access list is used
    !-- to determine what traffic needs to be dropped by a control plane
    !-- policy (the CoPP feature.) If the access list matches (permit)
    !-- then traffic will be dropped and if the access list does not
    !-- match (deny) then traffic will be processed by the router.
    
    
    access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
    access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
    access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
    access-list 100 deny udp host 172.16.1.1 any eq 5060
    access-list 100 deny tcp host 172.16.1.1 any eq 5060
    access-list 100 deny tcp host 172.16.1.1 any eq 5061
    access-list 100 permit udp any any eq 5060
    access-list 100 permit tcp any any eq 5060
    access-list 100 permit tcp any any eq 5061
    
    
    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
    !-- traffic in accordance with existing security policies and
    !-- configurations for traffic that is authorized to be sent
    !-- to infrastructure devices.
    !-- Create a Class-Map for traffic to be policed by
    !-- the CoPP feature.
    
    
    class-map match-all drop-sip-class
      match access-group 100
    
    
    !-- Create a Policy-Map that will be applied to the
    !-- Control-Plane of the device.
    
    
    policy-map drop-sip-traffic
     class drop-sip-class
      drop
    
    
    !-- Apply the Policy-Map to the Control-Plane of the
    !-- device.
    
    
    control-plane
     service-policy input drop-sip-traffic

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20090923-sip）以及相应补丁:
cisco-sa-20090923-sip：Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
链接：http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml

浏览次数：2298
严重程度：0（网友投票）