安全研究
安全漏洞
Cisco IOS MPLS实现畸形报文远程拒绝服务漏洞
发布日期:2010-03-24
更新日期:2010-03-26
受影响系统:
Cisco IOS 12.4不受影响系统:
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
Cisco IOS XR 3.4.x
Cisco IOS XR 3.3.x
Cisco IOS XR 2.2.x
Cisco IOS XE 2.3.x
Cisco IOS XE 2.2.x
Cisco IOS XE 2.1.x
Cisco IOS XE 2.3.2描述:
BUGTRAQ ID: 38938
CVE ID: CVE-2010-0576
Cisco IOS是思科网络设备所使用的互联网操作系统。
如果配置了多协议标记交换(MPLS)且支持标记分发协议(LDP),则运行Cisco IOS Software、Cisco IOS XE Software或Cisco IOS XR Software的设备存在远程拒绝服务漏洞,特制的LDP UDP报文可能导致运行Cisco IOS Software或Cisco IOS XE Software的受影响设备重载。在运行受影响Cisco IOS XR Software版本的设备上,报文可导致设备重启mpls_ldp进程。
如果系统配置了LDP或TDP会存在漏洞。
<*来源:Cisco
链接:http://secunia.com/advisories/39065/
http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
*>
建议:
临时解决方法:
* 如果设备上不需要LDP,则可通过全局配置命令no mpls ip禁用MPLS转发。
* 应在部署的基础架构访问列表中包含以下iACL示例帮助保护基础架构IP地址范围内的所有设备:
!---
!--- Feature: Label Distribution Protocol (LDP)
!---
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES
WILDCARD INFRASTRUCTURE_ADDRESSES WILDCARD eq 646
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES
WILDCARD host 224.0.0.2 eq 646
!---
!--- Deny LDP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny udp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 646
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!---
!--- Apply access-list to all interfaces (only one example
!--- shown)
!---
interface fastEthernet 2/0
ip access-group 150 in
* 在网络中应用以下控制面整型(CoPP)示例:
!---
!--- Feature: Label Distribution Protocol (LDP)
!---
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES
WILDCARD any eq 646
!---
!--- Deny LDP traffic from all other sources destined
!--- to the device control plane.
!---
access-list 150 permit udp any any eq 646
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-ldp-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map control-plane-policy
class drop-ldp-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input control-plane-policy
请注意在Cisco IOS Software的12.2S和12.0S系列中policy-map句法有所不同:
policy-map control-plane-policy
class drop-udp-class
police 32000 1500 1500 conform-action drop exceed-action drop
* 应用以下接收ACL(rACL):
!---
!--- Feature: Label Distribution Protocol (LDP)
!---
!---
!--- Permit LDP traffic from all trusted sources allowed
!--- to infrastructure addresses.
!---
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 646
!---
!--- Deny LDP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny udp any any eq 646
!---
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
!---
access-list 150 permit ip any any
!---
!--- Apply this access list to the 'receive' path.
!---
ip receive access-list 150
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20100324-ldp)以及相应补丁:
cisco-sa-20100324-ldp:Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20100324-ldp.shtml
浏览次数:2757
严重程度:0(网友投票)
绿盟科技给您安全的保障