Cisco IOS是Cisco设备所使用的操作系统。 Cisco IOS在处理特定畸形的IP报文时存在漏洞,远程攻击者可能利用此漏洞导致设备无法正常工作或在设备上执行任意指令。 如果满足了所有以下3个条件的话: 1. 报文包含有特制的IP选择 2. 报文为以下协议之一: * ICMP - Echo (Type 8) - 'ping' * ICMP - Timestamp (Type 13) * ICMP - Information Request (Type 15) * ICMP - Address Mask Request (Type 17) * PIMv2 - IP protocol 103 * PGM - IP protocol 113 * URD - TCP Port 465 3. 报文发送到受影响设备上所配置的物理或虚拟IPv4地址 则攻击者可以通过发送特制的报文导致运行Cisco IOS或Cisco IOS XR软件且配置为处理IPv4报文的Cisco设备出现拒绝服务的情况或执行任意代码。对于Cisco IOS,成功攻击会导致设备重启或执行任意代码;对于Cisco IOS XR,成功攻击会导致ipv4_io进程重启或执行任意代码,反复攻击会导致CRS-1节点或XR 12000线卡重载。 Cisco IOS XR 3.2.X Cisco IOS XR 3.0.X Cisco IOS XR 2.0.X Cisco IOS 12.0-12.4 临时解决方法: * 使用IP Options Selective Drop功能: ip options drop * 应用中间节点访问控制列表(ACL)。以下ACL可阻断攻击通讯,请部署于设备的所有IPv4接口: access-list 150 deny icmp any any echo access-list 150 deny icmp any any information-request access-list 150 deny icmp any any timestamp-request access-list 150 deny icmp any any mask-request access-list 150 deny tcp any any eq 465 access-list 150 deny...
Cisco IOS是Cisco设备所使用的操作系统。 Cisco IOS在处理特定畸形的IP报文时存在漏洞,远程攻击者可能利用此漏洞导致设备无法正常工作或在设备上执行任意指令。 如果满足了所有以下3个条件的话: 1. 报文包含有特制的IP选择 2. 报文为以下协议之一: * ICMP - Echo (Type 8) - 'ping' * ICMP - Timestamp (Type 13) * ICMP - Information Request (Type 15) * ICMP - Address Mask Request (Type 17) * PIMv2 - IP protocol 103 * PGM - IP protocol 113 * URD - TCP Port 465 3. 报文发送到受影响设备上所配置的物理或虚拟IPv4地址 则攻击者可以通过发送特制的报文导致运行Cisco IOS或Cisco IOS XR软件且配置为处理IPv4报文的Cisco设备出现拒绝服务的情况或执行任意代码。对于Cisco IOS,成功攻击会导致设备重启或执行任意代码;对于Cisco IOS XR,成功攻击会导致ipv4_io进程重启或执行任意代码,反复攻击会导致CRS-1节点或XR 12000线卡重载。 Cisco IOS XR 3.2.X Cisco IOS XR 3.0.X Cisco IOS XR 2.0.X Cisco IOS 12.0-12.4 临时解决方法: * 使用IP Options Selective Drop功能: ip options drop * 应用中间节点访问控制列表(ACL)。以下ACL可阻断攻击通讯,请部署于设备的所有IPv4接口: access-list 150 deny icmp any any echo access-list 150 deny icmp any any information-request access-list 150 deny icmp any any timestamp-request access-list 150 deny icmp any any mask-request access-list 150 deny tcp any any eq 465 access-list 150 deny 103 any any access-list 150 deny 113 any any access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in 以下Cisco IOS XR ACL可阻断攻击通讯,请部署于设备的所有IPv4接口: ipv4 access-list ios-xr-transit-acl 10 deny icmp any any echo 20 deny icmp any any information-request 30 deny icmp any any timestamp-request 40 deny icmp any any mask-request 50 deny tcp any any eq 465 60 deny 103 any any 70 deny 113 any any 80 permit ip any any interface POS 0/2/0/ ipv4 access-group ios-xr-transit-acl ingress * 应用基础架构访问控制列表: Cisco IOS +-------- access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES echo access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES information-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request access-list 150 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 access-list 150 deny 103 any INFRASTRUCTURE_ADDRESSES access-list 150 deny 113 any INFRASTRUCTURE_ADDRESSES access-list 150 permit ip any any interface serial 2/0 ip access-group 150 in Cisco IOS XR +----------- ipv4 access-list ios-xr-infrastructure-acl 10 deny icmp any INFRASTRUCTURE_ADDRESSES echo 20 deny icmp any INFRASTRUCTURE_ADDRESSES information-request 30 deny icmp any INFRASTRUCTURE_ADDRESSES timestamp-request 40 deny icmp any INFRASTRUCTURE_ADDRESSES mask-request 50 deny tcp any INFRASTRUCTURE_ADDRESSES eq 465 60 deny 103 any INFRASTRUCTURE_ADDRESSES 70 deny 113 any INFRASTRUCTURE_ADDRESSES 80 permit ip any any interface POS 0/2/0/2 ipv4 access-group ios-xr-infrastructure-acl ingress * 应用接收访问控制列表: access-list 101 deny icmp any any echo access-list 101 deny icmp any any information-request access-list 101 deny icmp any any timestamp-request access-list 101 deny icmp any any mask-request access-list 101 deny tcp any any eq 465 access-list 101 deny 103 any any access-list 101 deny 113 any any access-list 101 permit ip any any ! ip receive access-list 101 * 控制台整形(CoPP)。下面的CoPP示例拒绝所有可以利用这个漏洞的报文而允许其他IP通讯: access-list 100 permit icmp any any echo access-list 100 permit icmp any any information-request access-list 100 permit icmp any any timestamp-request access-list 100 permit icmp any any mask-request access-list 100 permit tcp any any eq 465 access-list 100 permit 103 any any access-list 100 permit 113 any any access-list 100 deny ip any any ! class-map match-all drop-options-class match access-group 100 ! ! policy-map drop-options-policy class drop-options-class drop ! control-plane service-policy input drop-options-policy 请注意Cisco IOS的12.0S、12.2S和12.2SX系列的policy-map句法略有不同: policy-map drop-options-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop 下面的示例拒绝发送给或通过路由器的带有利用该漏洞IP选项的报文,而其他IP通讯不受影响: ip access-list extended drop-affected-options permit icmp any any echo option any-options permit icmp any any information-request option any-options permit icmp any any timestamp-request option any-options permit icmp any any mask-request option any-options permit pim any any option any-options permit 113 any any option any-options permit tcp any any eq 465 option any-options deny ip any any ! class-map match-all drop-options-class match access-group name drop-affected-options ! ! policy-map drop-opt-policy class drop-options-class drop ! control-plane service-policy input drop-opt-policy 请注意Cisco IOS的12.2S系列的policy-map句法略有不同: policy-map drop-opt-policy class drop-options-class police 32000 1500 1500 conform-action drop exceed-action drop 厂商补丁: Cisco ----- Cisco已经为此发布了一个安全公告(cisco-sa-20070124-crafted-ip-option)以及相应补丁: cisco-sa-20070124-crafted-ip-option:Crafted IP Option Vulnerability 链接:<a href="http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml</a>
