Cisco IOS 12.4描述:
Cisco IOS 12.3
BUGTRAQ ID: 31364
CVE(CAN) ID: CVE-2008-2739
Cisco IOS是思科网络设备上所使用的互联网操作系统。
如果Cisco IOS启用了入侵保护系统(IPS)功能的话,则可以触发SERVICE.DNS引擎的IPS特征的网络通讯可能导致路由器崩溃或挂起,造成拒绝服务的情况。
<*来源:Cisco安全公告
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml
*>
建议:
临时解决方法:
* 向设备上配置的每条Cisco IOS IPS策略添加访问控制列表(ACL),这样Cisco IOS IPS功能不检查发送给53/udp或53/tcp端口的通讯。需要向设备配置添加以下ACL:
! deny inspection of traffic with a destination port of 53/udp
access-list 177 deny udp any any eq 53
! deny inspection of traffic with a destination port of 53/tcp
access-list 177 deny tcp any any eq 53
! allow all other traffic to be inspected
access-list 177 permit ip any any
然后需要修改设备上的每个Cisco IOS IPS策略例程以便引用之前的ACL。如果要判断设备上所配置的Cisco IOS IPS策略,如下执行show running-config | include ip ips name命令:
Router#show running-config | include ip ips name
ip ips name ios-ips-incoming
ip ips name ios-ips-outgoing
Router#
在上面的例子中,设备上配置了两条Cisco IOS IPS策略。以下示例显示向上述每条Cisco IOS IPS策略添加ACL:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip ips name ios-ips-incoming list 177
Router(config)#ip ips name ios-ips-outgoing list 177
Router(config)#end
Router#
作为验证步骤,可再次执行show ip ips interfaces命令确认已向每条Cisco IOS IPS策略正确的附加了ACL:
Router#show ip ips interfaces
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is ios-ips-incoming
acl list 177
Outgoing IPS rule is not set
Interface FastEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is ios-ips-outgoing
acl list 177
Router#
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20080924-iosips)以及相应补丁:
cisco-sa-20080924-iosips:Cisco IOS IPS Denial of Service Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosips.shtml