发布日期：2010-09-23
更新日期：2010-09-26

受影响系统：

Cisco IOS 15.0
Cisco IOS 12.4
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS XE 2.5.x

描述：

---

CVE ID: CVE-2010-2830

Cisco IOS是Cisco网络设备上所使用的互联网操作系统。

畸形的IGMP报文可能导致有漏洞的设备重载。仅在启用了IGMP 3和PIM的接口上接收到了畸形IGMP报文的情况下才可以利用这个漏洞。畸形的IGMP报文目标地址可以为单播、多播或广播，可发给有漏洞设备上的任意IP地址，包括回环地址。
  
如果要利用这个漏洞，必须在有漏洞设备上接收到畸形报文，但可发送给设备上的任意地址。
  
中间通讯无法触发这个漏洞。

<*来源：Cisco
  
  链接：http://secunia.com/advisories/41551/
        http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml
*>

建议：

---

临时解决方法：

* 不需要SSM功能的客户可使用IGMP v2作为临时解决方案。

    interface GigabitEthernet0/0
     ip address 192.168.0.1 255.255.255.0
     ip pim sparse-mode
     ip igmp version 2

* 应用以下控制面整形

    !
    !-- The following access list is used
    !-- to determine what traffic needs to be dropped by a control plane
    !-- policy (the CoPP feature.) If the access list matches (permit),
    !-- then traffic will be dropped. If the access list does not
    !-- match (deny), then traffic will be processed by the router.
    !-- all IGMP packets with ttl different from 1 will be selected
    !-- by this acl and the "drop" action will be applied in the
    !-- corresponding CoPP polisy
    !

    ip access-list extended IGMP-ACL
      permit igmp any any ttl neq 1

    !
    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
    !-- traffic in accordance with existing security policies and
    !-- configurations for traffic that is authorized to be sent
    !-- to infrastructure devices.
    !-- Create a class map for traffic that will be policed by
    !-- the CoPP feature.
    !

    class-map match-all drop-IGMP-class
      match access-group name IGMP-ACL

    !
    !-- Create a policy map that will be applied to the
    !-- Control Plane of the device, and add the "drop-tcp-traffic"
    !-- class map.
    !

    policy-map CoPP-policy
     class drop-IGMP-class
      drop

    !
    !-- Apply the policy map to the control plane of the
    !-- device.
    !

    control-plane
     service-policy input CoPP-policy

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20100922-igmp）以及相应补丁:
cisco-sa-20100922-igmp：Cisco IOS Software Internet Group Management Protocol Denial of Service Vulnerability
链接：http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml

浏览次数：2541
严重程度：0（网友投票）