BUGTRAQ ID: 36499 CVE ID: CVE-2009-2870 Cisco IOS是思科网络设备所使用的互联网操作系统。 如果设备运行的Cisco IOS镜像中包含有Cisco Unified Border Element功能,则Cisco IOS软件的SIP实现中存在拒绝服务漏洞。处理一系列特制的SIP消息会导致设备重载。 Cisco IOS 12.4 Cisco IOS 12.3 临时解决方法: * 禁用SIP监听端口 sip-ua no transport udp no transport tcp no transport tcp tls * 部署以下控制面整型(CoPP) !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit) !-- then traffic will be dropped and if the access list does not !-- match (deny) then traffic will be processed by the router. access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061 access-list 100 deny udp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5060...
BUGTRAQ ID: 36499 CVE ID: CVE-2009-2870 Cisco IOS是思科网络设备所使用的互联网操作系统。 如果设备运行的Cisco IOS镜像中包含有Cisco Unified Border Element功能,则Cisco IOS软件的SIP实现中存在拒绝服务漏洞。处理一系列特制的SIP消息会导致设备重载。 Cisco IOS 12.4 Cisco IOS 12.3 临时解决方法: * 禁用SIP监听端口 sip-ua no transport udp no transport tcp no transport tcp tls * 部署以下控制面整型(CoPP) !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted. !-- Everything else is not trusted. The following access list is used !-- to determine what traffic needs to be dropped by a control plane !-- policy (the CoPP feature.) If the access list matches (permit) !-- then traffic will be dropped and if the access list does not !-- match (deny) then traffic will be processed by the router. access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060 access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061 access-list 100 deny udp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5060 access-list 100 deny tcp host 172.16.1.1 any eq 5061 access-list 100 permit udp any any eq 5060 access-list 100 permit tcp any any eq 5060 access-list 100 permit tcp any any eq 5061 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. class-map match-all drop-sip-class match access-group 100 !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. policy-map drop-sip-traffic class drop-sip-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. control-plane service-policy input drop-sip-traffic 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20090923-sip)以及相应补丁: cisco-sa-20090923-sip:Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability 链接:http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml
