Cisco IOS 12.4描述:
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.0
BUGTRAQ ID: 31363
CVE(CAN) ID: CVE-2008-3805
Cisco IOS是思科网络设备上所使用的互联网操作系统。
Cisco 10000、uBR10012和uBR7200系列设备使用基于UDP的IPC信道,这个信道使用127.0.0.0/8范围的地址和UDP 1975端口。运行受影响版本Cisco IOS的Cisco 10000、uBR10012和uBR7200系列设备会处理设备外部发送给UDP 1975端口的IPC消息,攻击者可以利用这种行为导致设备或线卡或以上二者同时重载,造成拒绝服务。
<*来源:Cisco安全公告
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml
*>
建议:
临时解决方法:
* 使用接口访问控制列表
access-list 100 deny udp any host <router-interface 1> eq 1975
access-list 100 deny udp any host <router-interface 2> eq 1975
access-list 100 deny udp any host <router-interface ...> eq 1975
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip any 127.0.0.0 0.255.255.255
access-list 100 permit ip any any
interface Serial 0/0
ip access-group 100 in
* 可使用控制面整形(CoPP)阻断不可信任的UDP 1975端口访问受影响设备。
!-- Permit all UDP/1975 traffic so that it
!-- will be policed and dropped by the CoPP feature
!
access-list 111 permit udp any any eq 1975
access-list 111 permit ip any 127.0.0.0 0.255.255.255
access-list 111 permit ip 127.0.0.0 0.255.255.255 any
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and
!-- Layer 4 traffic in accordance with existing security policies
!-- and configurations for traffic that is authorized to be sent
!-- to infrastructure devices
!
!-- Create a Class-Map for traffic to be policed by the CoPP
!-- feature
!
class-map match-all drop-IPC-class
match access-group 111
!
!-- Create a Policy-Map that will be applied to the Control-Plane
!-- of the device
!
policy-map drop-IPC-traffic
class drop-IPC-class
drop
!
!-- Apply the Policy-Map to the Control-Plane of the device
!
control-plane
service-policy input drop-IPC-traffic
!
请注意在Cisco IOS 12.2S和12.0S系列中policy-map句法有所不同:
!
policy-map drop-IPC-traffic class drop-IPC-class
police 32000 1500 1500 conform-action drop exceed-action drop
!
* 在网络边界使用基础架构ACL(iACL)
!-- Note: IPC packets sent to UDP destination port 1975 must not
!-- be permitted from any trusted source as this traffic
!-- should only be sent and received internally by the
!-- affected device using an IP address allocated from the
!-- 127.0.0.0/8 prefix.
!--
!-- IPC that traffic that is internally generated and sent
!-- and/or received by the affected device is not subjected
!-- to packet filtering by the applied iACL policy.
!
!-- Deny IPC (UDP port 1975) packets from all sources destined to
!-- all IP addresses configured on the affected device.
!
access-list 150 deny udp any host INTERFACE_ADDRESS#1 eq 1975
access-list 150 deny udp any host INTERFACE_ADDRESS#2 eq 1975
access-list 150 deny udp any host INTERFACE_ADDRESS#N eq 1975
!
!-- Deny all IP packets with a source or destination IP address
!-- from the 127.0.0.0/8 prefix.
!
access-list 150 deny ip 127.0.0.0 0.255.255.255 any
access-list 150 deny ip any 127.0.0.0 0.255.255.255
!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations.
!
!-- Permit all other traffic to transit the device.
!
access-list 150 permit ip any any
!
!-- Apply iACL to interfaces in the ingress direction.
!
interface GigabitEthernet0/0
ip access-group 150 in
!
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20080924-ipc)以及相应补丁:
cisco-sa-20080924-ipc:Cisco 10000, uBR10012, uBR7200 Series Devices IPC Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080924-ipc.shtml