Cisco IOS是Cisco网络设备所使用的操作系统。 Cisco IOS所带的FTP Server处理访问请求时存在漏洞,远程攻击者可能利用此漏洞非授权访问系统文件或导致拒绝服务。 启用了IOS FTP Server功能的Cisco IOS没有正确检查用户授权,可能允许攻击者非授权读写设备文件系统中的任意文件,包括设备保存的配置,其中可能有口令或其他敏感信息;此外这种配置的Cisco IOS还可能导致在通过FTP传输文件时IOS重载。 Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 临时解决方法: * 通过向设备配置中添加以下命令禁用IOS FTP Server功能: no ftp-server enable * 选用其他文件传输方式,如安全拷贝(SCP)或使用简单文件传输协议(TFTP)服务器。 * 如下配置基础架构ACL(iACL): !--- Permit FTP services from trusted hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 21 access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 20 !--- Deny FTP packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 21 access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 20 !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial...
Cisco IOS是Cisco网络设备所使用的操作系统。 Cisco IOS所带的FTP Server处理访问请求时存在漏洞,远程攻击者可能利用此漏洞非授权访问系统文件或导致拒绝服务。 启用了IOS FTP Server功能的Cisco IOS没有正确检查用户授权,可能允许攻击者非授权读写设备文件系统中的任意文件,包括设备保存的配置,其中可能有口令或其他敏感信息;此外这种配置的Cisco IOS还可能导致在通过FTP传输文件时IOS重载。 Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 临时解决方法: * 通过向设备配置中添加以下命令禁用IOS FTP Server功能: no ftp-server enable * 选用其他文件传输方式,如安全拷贝(SCP)或使用简单文件传输协议(TFTP)服务器。 * 如下配置基础架构ACL(iACL): !--- Permit FTP services from trusted hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 21 access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 20 !--- Deny FTP packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 21 access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 20 !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in * 如下配置接收ACL(rACL): !--- Permit FTP from trusted hosts allowed to the RP. access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 21 access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 20 !--- Deny FTP from all other sources to the RP. access-list 151 deny tcp any any eq 21 access-list 151 deny tcp any any eq 20 !--- Permit all other traffic to the RP. !--- according to security policy and configurations. access-list 151 permit ip any any !--- Apply this access list to the 'receive' path. ip receive access-list 151 * 如下配置控制面板: access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 21 access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 20 access-list 152 permit tcp any any eq 20 access-list 152 permit tcp any any eq 21 access-list 152 deny ip any any ! class-map match-all COPP-KNOWN-UNDESIRABLE match access-group 152 ! ! policy-map COPP-INPUT-POLICY class COPP-KNOWN-UNDESIRABLE drop ! control-plane service-policy input COPP-INPUT-POLICY 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20070509-iosftp)以及相应补丁: cisco-sa-20070509-iosftp:Multiple Vulnerabilities in the IOS FTP Server 链接:<a href="http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml</a>
