安全研究
安全漏洞
Cisco IOS SSL VPN内存泄露拒绝服务漏洞
发布日期:2010-09-23
更新日期:2010-09-26
受影响系统:
Cisco IOS 15.1描述:
Cisco IOS 15.0
Cisco IOS 12.4
Cisco IOS 12.3
CVE ID: CVE-2010-2836
Cisco IOS是Cisco网络设备上所使用的互联网操作系统。
配置了带有HTTP端口重新定向的SSL VPN功能的Cisco IOS设备在处理异常终端的SSL会话时可能会泄露TCB,持续攻击可能导致设备耗尽内存资源,造成设备重载无法为新的TCP连接提供服务,以及其他拒绝服务情况。无需认证便可利用这个漏洞。
必须完成完整的TCP三重握手才可以利用这个漏洞。
<*来源:Cisco
链接:http://secunia.com/advisories/41552/
http://www.cisco.com/warp/public/707/cisco-sa-20100922-sslvpn.shtml
*>
建议:
临时解决方法:
* 可在webvpn网关配置模式执行no http-redirect port命令来禁用SSL VPN连接的HTTP重新定向。
此外,通过clear tcp tcb *命令手动清除挂起的TCB可将TCB转换到CLOSED状态。在一段时间后,可清除CLOSED状态并释放内存。
* 可在以下链接的Cisco Beyond: Embedded Event Manager (EEM) Scripting Community下载Tcl脚本:
http://forums.cisco.com/eforum/servlet/EEM?page=eem&fn=script&scriptId=2041
以下是示例设备配置。
!
!-- Location where the Tcl script will be stored
!
event manager directory user policy disk0:/eem
!
!-- Define variable and set the monitoring interval
!-- as an integer (expressed in seconds)
!
event manager environment EEM_MONITOR_INTERVAL 60
!
!-- Define variable and set the threshold value as
!-- an integer for the number of retransmissions
!-- that determine if the TCP connection is hung
!-- (a recommended value to use is 15)
!
event manager environment EEM_MONITOR_THRESHOLD 15
!
!-- Define variable and set the value to "yes" to
!-- enable the clearing of hung TCP connections
!
event manager environment EEM_MONITOR_CLEAR yes
!
!-- Define variable and set to the TCP connection
!-- state or states that script will monitor, which
!-- can be a single state or a space-separated list
!-- of states
!
event manager environment EEM_MONITOR_STATES CLOSEWAIT
!
!-- Register the script as a Cisco EEM policy
!
event manager policy monitor-sockets.tcl
!
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20100922-sslvpn)以及相应补丁:
cisco-sa-20100922-sslvpn:Cisco IOS SSL VPN Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20100922-sslvpn.shtml
浏览次数:3460
严重程度:0(网友投票)
绿盟科技给您安全的保障