BUGTRAQ ID: 38935,38929,38933 CVE ID: CVE-2010-0579,CVE-2010-0580,CVE-2010-0581 Cisco IOS是思科网络设备所使用的互联网操作系统。 Cisco IOS Software的SIP实现中存在多个漏洞,可能允许远程攻击者导致设备重载或执行任意代码。当运行Cisco IOS Software的设备处理畸形SIP消息时可以触发这些漏洞。 在SIP运行在TCP传输的情况下,必须完成三重握手才可以利用这些漏洞。 Cisco IOS 12.4 Cisco IOS 12.3 临时解决方法: * 对于不需要启用SIP的设备,最简单有效的临时解决方案就是在设备上禁止处理SIP。一些Cisco IOS Software版本上允许管理员通过以下命令禁用SIP: sip-ua no transport udp no transport tcp no transport tcp tls * 对于需要提供SIP服务的设备,可使用控制面整形(CoPP)阻断不可信任来源到设备的SIP通讯。可在网络中应用以下示例: !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit) !-- then traffic will be dropped and if the access list does not !-- match (deny) then traffic will be processed by the router. access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255...
BUGTRAQ ID: 38935,38929,38933 CVE ID: CVE-2010-0579,CVE-2010-0580,CVE-2010-0581 Cisco IOS是思科网络设备所使用的互联网操作系统。 Cisco IOS Software的SIP实现中存在多个漏洞,可能允许远程攻击者导致设备重载或执行任意代码。当运行Cisco IOS Software的设备处理畸形SIP消息时可以触发这些漏洞。 在SIP运行在TCP传输的情况下,必须完成三重握手才可以利用这些漏洞。 Cisco IOS 12.4 Cisco IOS 12.3 临时解决方法: * 对于不需要启用SIP的设备,最简单有效的临时解决方案就是在设备上禁止处理SIP。一些Cisco IOS Software版本上允许管理员通过以下命令禁用SIP: sip-ua no transport udp no transport tcp no transport tcp tls * 对于需要提供SIP服务的设备,可使用控制面整形(CoPP)阻断不可信任来源到设备的SIP通讯。可在网络中应用以下示例: !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit) !-- then traffic will be dropped and if the access list does not !-- match (deny) then traffic will be processed by the router. access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061 access-list 100 deny udp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5061 access-list 100 permit udp any any eq 5060 access-list 100 permit tcp any any eq 5060 access-list 100 permit tcp any any eq 5061 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. class-map match-all drop-sip-class match access-group 100 !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. policy-map control-plane-policy class drop-sip-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. control-plane service-policy input control-plane-policy 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20100324-sip)以及相应补丁: cisco-sa-20100324-sip:Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities 链接:http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml
