Cisco IOS 12.4描述:
BUGTRAQ ID: 31365
CVE(CAN) ID: CVE-2008-3798
Cisco IOS是思科网络设备上所使用的互联网操作系统。
Cisco IOS设备在处理SSL报文时可能崩溃,在结束基于SSL的会话时可能出现这种情况。攻击报文不是畸形的,通常是在报文交换过程中接收到的。
无需处理用户名、口令或证书等有效凭据便可利用这个漏洞。SSL协议使用TCP作为传输协议,必须要求完成TCP三重握手才能利用这个漏洞,这降低了通过使用伪造IP地址利用这个漏洞的概率。
<*来源:Cisco安全公告
链接:http://secunia.com/advisories/31990/
http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml
*>
建议:
临时解决方法:
* 访问控制列表(ACL)
access-list 101 permit tcp host <legitimate_host_IP_address> host
<router_IP_address> eq 443
access-list 101 deny tcp any any eq 443
* 控制面整型(CoPP)
!-- Include deny statements up front for any protocols/ports/IP addresses that
!-- should not be impacted by CoPP
!-- Include permit statements for the protocols/ports that will be
!-- governed by CoPPaccess-list 100 permit tcp any any eq 443
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
!
class-map match-all drop-SSL-class match access-group 100
!
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
!
policy-map drop-SSL-policy class drop-SSL-class drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
!
control-plane service-policy input drop-SSL-policy
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20080924-ssl)以及相应补丁:
cisco-sa-20080924-ssl:Vulnerability in Cisco IOS While Processing SSL Packet
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080924-ssl.shtml