发布日期：2009-09-23
更新日期：2009-09-27

受影响系统：

Cisco IOS 12.4

描述：

---

BUGTRAQ  ID: 36502
CVE ID: CVE-2009-2869

Cisco IOS是思科网络设备所使用的互联网操作系统。

当支持NTPv4的Cisco IOS软件设备在创建NTP回复报文时接收到了特定的NTP报文就会崩溃。可从任意远程设备发送NTP报文，且无需认证。支持NTPv4且配置了NTP对等端认证的Cisco IOS设备仍有漏洞。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/36835/
        http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml
*>

建议：

---

临时解决方法：

* 配置NTP访问组
    
    !--- Configure trusted peers for allowed access
  
    access-list 1 permit 171.70.173.55
    
    !--- Apply ACE to the NTP configuration
    
    ntp access-group 1

* 部署基础架构ACL（iACL）
    
    !---
    !--- Feature: Network Time Protocol (NTP)
    !---
    
    
    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        INFRASTRUCTURE_ADDRESSES WILDCARD eq 123
    
    
    !--- Note: If the router is acting as a NTP broadcast client
    !---   via the interface command "ntp broadcast client"
    !---   then broadcast and directed broadcasts must be
    !---   filtered as well.  The following example covers
    !---   an infrastructure address space of 192.168.0.X
    
    
    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        host 192.168.0.255 eq ntp
    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        host 255.255.255.255 eq ntp
    
    
    !--- Note: If the router is acting as a NTP multicast client
    !---   via the interface command "ntp multicast client"
    !---   then multicast IP packets to the mutlicast group must
    !---   be filtered as well.  The following example covers
    !---   a NTP multicast group of 239.0.0.1 (Default is
    !---   224.0.1.1)
    
    
    access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
        host 239.0.0.1 eq ntp
    
    
    !--- Deny NTP traffic from all other sources destined
    !--- to infrastructure addresses.
    
    
    access-list 150 deny udp any
        INFRASTRUCTURE_ADDRESSES WILDCARD eq 123
    
    
    !--- Permit/deny all other Layer 3 and Layer 4 traffic in
    !--- accordance with existing security policies and
    !--- configurations.  Permit all other traffic to transit the
    !--- device.
    
    
    access-list 150 permit ip any any
    
    
    !--- Apply access-list to all interfaces (only one example
    !--- shown)
    
    
    interface fastEthernet 2/0
     ip access-group 150 in

* 部署控制面整型（CoPP）
      
    !--- Feature: Network Time Protocol (NTP)
    
    
    access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
         any eq 123
    
    
    !--- Deny NTP traffic from all other sources destined
    !--- to the device control plane.
    
    
    access-list 150 permit udp any any eq 123
    
    
    !--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
    !--- Layer4 traffic in accordance with existing security policies
    !--- and configurations for traffic that is authorized to be sent
    !--- to infrastructure devices
    !--- Create a Class-Map for traffic to be policed by
    !--- the CoPP feature
    
    
    class-map match-all drop-udp-class
     match access-group 150
    
    
    !--- Create a Policy-Map that will be applied to the
    !--- Control-Plane of the device.
    
    
    policy-map drop-udp-traffic
     class drop-udp-class
      drop
    
    
    !--- Apply the Policy-Map to the
    !--- Control-Plane of the device
    
    
    control-plane
     service-policy input drop-udp-traffic

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20090923-ntp）以及相应补丁:
cisco-sa-20090923-ntp：Cisco IOS Software Network Time Protocol Packet Vulnerability
链接：http://www.cisco.com/warp/public/707/cisco-sa-20090923-ntp.shtml

浏览次数：2736
严重程度：0（网友投票）