Cisco IOS AIC HTTP中间报文拒绝服务漏洞

受影响系统：

Cisco IOS 12.4

描述：

---

BUGTRAQ  ID: 31354
CVE(CAN) ID: CVE-2008-3812

Cisco IOS是思科网络设备上所使用的互联网操作系统。

如果Cisco IOS软件配置了IOS防火墙应用程序检查控制（AIC）且AIC中包含有HTTP应用程序特定策略的话，则在处理畸形的HTTP中间报文时存在拒绝服务漏洞。成功利用这个漏洞可能导致受影响的设备重载。

HTTP运行在TCP上。如果要利用这个漏洞，在处理恶意通讯之前必须要完成客户端与服务器之间完整的三重握手才能导致设备重载。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/31990/
        http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml
*>

建议：

---

临时解决方法：

* 禁用AIC HTTP深层报文检查

    !--- Existing Configuration
    !

    parameter-map type inspect global

    !

    class-map type inspect http match-any layer7-classmap
    class-map type inspect match-any layer4-classmap
     match protocol http

    !

    policy-map type inspect http layer7-policymap
     class type inspect http layer7-classmap
      allow
     class class-default
    policy-map type inspect layer4-policymap
     class type inspect layer4-classmap
      inspect global
      service-policy http layer7-policymap
     class class-default

    !

    zone security inside
     description ** Inside Network **
    zone security outside
     description ** Outside Network **
    zone-pair security in2out source inside destination outside
     description ** Zone Pair - inside to outside **
     service-policy type inspect layer4-policymap

   从有问题的zone-pair删除service-policy：
  
    Router#configure terminal
    Enter configuration commands, one per line.  End with CNTL/Z.
    Router(config)#zone-pair security in2out source inside destination outside
    Router(config-sec-zone-pair)#no service-policy type inspect layer4-policymap
    Router(config-sec-zone-pair)#exit

   删除policy-map type inspect layer4-policymap与policy-map type inspect http layer7-policymap之间的关联：

    Router(config)#policy-map type inspect layer4-policymap
    Router(config-pmap)#class type inspect layer4-classmap
    Router(config-pmap-c)#no service-policy http layer7-policymap
    Router(config-pmap-c)#exit
    Router(config-pmap)#exit

   对有问题的zone-pair重新应用service-policy：

    Router(config)#zone-pair security in2out source inside destination outside
    Router(config-sec-zone-pair)#service-policy type inspect layer4-policymap
    Router(config-sec-zone-pair)#exit

   尽管不是必须的，出于配置完整性考虑，建议删除policy-map type inspect http layer7-policymap和class-map type inspect http match-any layer7-classmap。

    Router(config)#no policy-map type inspect http layer7-policymap
    Router(config)#no class-map type inspect http match-any layer7-classmap
    Router(config)#exit
    Router#

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20080924-iosfw）以及相应补丁:
cisco-sa-20080924-iosfw：Cisco IOS Software Firewall Application Inspection Control Vulnerability
链接：http://www.cisco.com/warp/public/707/cisco-sa-20080924-iosfw.shtml