Cisco IOS是Cisco设备所使用的操作系统。 Cisco IOS在处理特定畸形的TCP报文时存在漏洞,远程攻击者可能利用此漏洞对设备执行拒绝服务攻击,导致设备耗尽所有内存无法正常工作。 如果将Cisco IOS设备配置为接收TCP报文的话,则发送给Cisco IOS设备物理或虚拟接口IPv4地址的特制报文就可能导致泄漏少量的内存。这种内存泄漏可能造成耗尽内存资源,降低系统的性能。 请注意攻击者无需完成TCP三重握手就可以触发这个漏洞,因此伪造源址的TCP报文也可以完成攻击。这个漏洞仅适用于目标为Cisco IOS设备的通讯,穿越Cisco IOS设备的通讯不会触发这个漏洞。 Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 临时解决方法: * 应用基础架构访问控制列表(iACL)。以下是运行Cisco IOS设备访问控制列表的示例: !--- Permit TCP services from trust hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK !--- Deny TCP packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in * 应用接收访问控制列表(rACL)。以下示例仅允许可信任主机的TCP通讯: !--- Permit tcp services from trusted hosts allowed to the RP. access-list 151 permit tcp...
Cisco IOS是Cisco设备所使用的操作系统。 Cisco IOS在处理特定畸形的TCP报文时存在漏洞,远程攻击者可能利用此漏洞对设备执行拒绝服务攻击,导致设备耗尽所有内存无法正常工作。 如果将Cisco IOS设备配置为接收TCP报文的话,则发送给Cisco IOS设备物理或虚拟接口IPv4地址的特制报文就可能导致泄漏少量的内存。这种内存泄漏可能造成耗尽内存资源,降低系统的性能。 请注意攻击者无需完成TCP三重握手就可以触发这个漏洞,因此伪造源址的TCP报文也可以完成攻击。这个漏洞仅适用于目标为Cisco IOS设备的通讯,穿越Cisco IOS设备的通讯不会触发这个漏洞。 Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 临时解决方法: * 应用基础架构访问控制列表(iACL)。以下是运行Cisco IOS设备访问控制列表的示例: !--- Permit TCP services from trust hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK !--- Deny TCP packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in * 应用接收访问控制列表(rACL)。以下示例仅允许可信任主机的TCP通讯: !--- Permit tcp services from trusted hosts allowed to the RP. access-list 151 permit tcp TRUSTED_ADDRESSES MASK any !--- Deny tcp services from all other sources to the RP. access-list 151 deny tcp any any !--- Permit all other traffic to the RP. access-list 151 permit ip any any !--- Apply this access list to the 'receive' path. ip receive access-list 151 * 控制台整形(CoPP)。在下面的CoPP示例中,如果ACL项匹配有permit操作的攻击报文的话,策略映射的drop功能会丢弃这些报文,而匹配deny操作的报文不会受到影响: access-list 152 deny tcp TRUSTED_ADDRESSES MASK any access-list 152 permit tcp any any access-list 152 deny ip any any ! class-map match-all permit-tcp-class match access-group 152 ! ! policy-map permit-tcp-policy class permit-tcp-class drop ! control-plane service-policy input permit-tcp-policy 请注意Cisco IOS的12.2S和12.0S系列的policy-map句法略有不同: policy-map permit-tcp-policy class class permit-tcp-class police 32000 1500 1500 conform-action drop exceed-action drop * 通过以下命令启用uRPF: router(config)# ip cef router(config)# interface interface # router(config-if)# ip verify unicast source reachable-via rx * 应用BGP和BTSH/GTSM。 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20070124-crafted-tcp)以及相应补丁: cisco-sa-20070124-crafted-tcp:Crafted TCP Packet Can Cause Denial of Service 链接:<a href="http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-tcp.shtml</a>
