Cisco IOS 12.4描述:
Cisco IOS 12.2
BUGTRAQ ID: 31358
CVE(CAN) ID: CVE-2008-3813
Cisco IOS是思科网络设备上所使用的互联网操作系统。
Cisco IOS软件的2层隧道协议(L2TP)的实现中存在漏洞,运行L2TP mgmt守护进程的设备在处理特制的L2TP报文时会重载。
一些功能在Cisco IOS软件中启用了L2TP mgmt守护进程,包括但不限于L2VPN、L2TPv3、SGBP和Cisco VPDN。一旦启用了这个进程设备就会受漏洞影响。
<*来源:Cisco安全公告
链接:http://secunia.com/advisories/31990/
http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml
*>
建议:
临时解决方法:
* 基础架构ACL(iACL)
!--- Permit L2TP UDP 1701 packets from all trusted
!--- sources destined to infrastructure addresses.
!--- NOTE: This does not prevent spoofed attacks.
!--- To be a full mitigation, no trusted source
!--- addresses should be listed.
!--- Omit this line if using a L2TPv3 over IP implementation only.
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES MASK
INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Deny L2TP UDP 1701 packets from all
!--- sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using a L2TPv3 over IP implementation ensure to allow L2TPv3
access-list 150 permit 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Permit all other traffic to transit the device.
access-list 150 permit ip any any
!--- Apply access-list to all interfaces (only one example shown)
interface serial 2/0
ip access-group 150 in
* 控制面整型(CoPP)
!--- Deny all trusted source L2TP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will not be policed by the CoPP feature.
!--- NOTE: This does not prevent spoofed attacks.
!--- To be a full mitigation, no trusted source
!--- addresses should be listed.
!--- Omit this line if using an L2TPv3 over IP implementation only.
access-list 111 deny udp TRUSTED_SOURCE_ADDRESSES MASK
INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Permit all L2TP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using an L2TPv3 over IP implementation ensure not to drop L2TPv3
access-list 111 deny 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-l2tp-class
match access-group 111
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-l2tp-traffic
class drop-l2tp-class
drop
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
control-plane
service-policy input drop-l2tp-traffic
请注意12.2S和12.0S的Cisco IOS系列中policy-map句法有所不同:
policy-map drop-l2tp-traffic
class drop-l2tp-class
police 32000 1500 1500 conform-action drop exceed-action drop
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20080924-l2tp)以及相应补丁:
cisco-sa-20080924-l2tp:Cisco IOS Software Layer 2 Tunneling Protocol (L2TP) Denial of Service Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20080924-l2tp.shtml