受影响系统:
Cisco IOS 12.4
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
描述:
BUGTRAQ ID: 24097
Cisco IOS是Cisco网络设备所使用的操作系统。
Cisco IOS在处理SSL会话连接时存在漏洞,远程攻击者可能利用此漏洞导致设备拒绝服务。
如果配置为使用SSL协议协议的话,Cisco IOS设备在处理畸形SSL报文时可能崩溃。如果要触发这些漏洞,恶意的客户端必须在与有漏洞设备交换SSL协议期间发送畸形的ClientHello、ChangeCipherSpec或Finished报文。
攻击者可以在创建TCP连接后但交换认证凭据(如用户名/口令或证书)之前触发这些漏洞,要求完成TCP三重握手降低了通过使用伪造IP地址利用这些漏洞的概率。如果已经创建了SSL会话的话,拦截两台受影响设备之间通讯的攻击者无法利用这个漏洞,因为SSL可以防范这种注入。但是,这种攻击可以通过TCP RST不正常的终止已有的会话,然后攻击者可以等待创建新的SSL会话并在新的SSL会话开始时注入恶意报文,以此触发漏洞。
◆来源:Cisco安全公告
链接:http://secunia.com/advisories/25361/
http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
建议:
临时解决方法:
◆如下配置控制面整型(CoPP):
! Include deny statements up front for any protocols/ports/IP addresses that !-- should not be impacted by CoPP ! Include permit statements for the protocols/ports that will be governed by CoPP access-list 100 permit tcp any any eq 443 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. ! class-map match-all drop-SSL-class match access-group 100 ! !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. ! policy-map drop-SSL-policy class drop-SSL-class drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. ! control-plane service-policy input drop-SSL-policy
|
请注意在12.0S、12.2S和12.2SX Cisco IOS系列中,policy-map句法有所不同,如下所示:
policy-map drop-SSL-policy class drop-SSL-class police 32000 1500 1500 conform-action drop exceed-action drop
|
◆如下配置ACL:
access-list 101 permit tcp host host port 443 access-list 101 deny tcp any any port 443
|
厂商补丁:
Cisco发布了一个安全公告(cisco-sa-20070522-SSL)以及相应补丁:
cisco-sa-20070522-SSL:Multiple Vulnerabilities in Cisco IOS While Processing SSL Packets
|
链接:http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml
