漏洞信息详情

Cisco IOS语音服务多个协议处理拒绝服务及代码执行漏洞

  • CNNVD编号:CNNVD-200708-156
  • 危害等级: 超危
  • CVE编号: CVE-2007-4292
  • 漏洞类型: 其他
  • 发布时间: 2007-08-09
  • 威胁类型: 远程
  • 更新时间: 2009-03-04
  • 厂        商: cisco
  • 漏洞来源: Cisco安全公告

漏洞简介

Cisco IOS是Cisco网络设备中所使用的操作系统。

Cisco IOS在处理各类协议报文时存在漏洞,远程攻击者可能利用这些漏洞导致设备不可用。

如果向运行Cisco IOS或Cisco Unified Communications Manager的网络设备发送了畸形的SIP报文的话,就可能导致拒绝服务或执行任意代码;此外如果运行Cisco IOS的网络设备接收到了畸形的MGCP报文、H.323报文、RTP报文,或在接收传真时收到了很大的报文,都可能导致服务崩溃或路由器挂起。

漏洞公告

Cisco已经为此发布了一个安全公告(cisco-sa-20070808-IOS-voice)以及相应补丁:

cisco-sa-20070808-IOS-voice:Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-voice.shtml

临时解决方法:

*应用以下基础架构ACL(iACL):

!-- Permit SIP, MGCP, H.323 and RTP services from trusted hosts destined

!-- to infrastructure addresses.

access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5060

access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5061

access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5060

access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5061

access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2427

access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 1720

access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 11720

access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2517

access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK range 16384 32767

!-- Deny SIP, MGCP, H.323 and RTP packets from all other sources destined

!-- to infrastructure addresses.

access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5060

access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5061

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5060

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5061

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2427

access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 1720

access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 11720

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2517

access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK range 16384 32767

!-- Permit all other traffic to transit the device.

access-list 150 permit ip any any

interface serial 2/0

ip access-group 150 in

*应用以下控制面整型(CoPP):

!-- Deny SIP, MGCP, H.323 and RTP traffic from trusted hosts to all

!-- IP addresses configured on all interfaces of the affected device

!-- so that it will be allowed by the CoPP feature.

access-list 111 deny tcp host 192.168.100.1 any eq 5060

access-list 111 deny tcp host 192.168.100.1 any eq 5061

access-list 111 deny udp host 192.168.100.1 any eq 5060

access-list 111 deny udp host 192.168.100.1 any eq 5061

access-list 111 deny udp host 192.168.100.1 any eq 2427

access-list 111 deny tcp host 192.168.100.1 any eq 1720

access-list 111 deny tcp host 192.168.100.1 any eq 11720

access-list 111 deny udp host 192.168.100.1 any eq 2517

access-list 111 deny udp host 192.168.100.1 any range 16384 32767

!-- Permit all other SIP, MGCP, H.323 and RTP traffic sent to all

!-- IP addresses configured on all interfaces of the affected device

!-- so that it will be policed and dropped by the CoPP feature.

access-list 111 permit tcp any any eq 5060

access-list 111 permit tcp any any eq 5061

access-list 111 permit udp any any eq 5060

access-list 111 permit udp any any eq 5061

access-list 111 permit udp any any eq 2427

access-list 111 permit tcp any any eq 1720

access-list 111 permit tcp any any eq 11720

access-list 111 permit udp any any eq 2517

access-list 111 permit udp any any range 16384 32767

!-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4

!-- traffic in accordance with existing security policies and

!-- configurations for traffic that is authorized to be sent

!-- to infrastructure devices.

!-- Create a Class-Map for traffic to be policed by

!-- the CoPP feature.

class-map match-all drop-voice-class

match access-group 111

!-- Create a Policy-Map that will be applied to the

!-- Control-Plane of the device.

policy-map drop-voice-traffic

class drop-voice-class

drop

!-- Apply the Policy-Map to the Control-Plane of the

!-- device.

control-plane

service-policy input drop-voice-traffic

请注意在Cisco IOS的12.2S 和12.0S软件系列中policy-map句法有所不同:

policy-map drop-voice-traffic

class drop-voice-c

参考网址

来源: BID

名称: 25239

链接:http://www.securityfocus.com/bid/25239

来源: CISCO

名称: 20070808 Voice Vulnerabilities in Cisco IOS and Cisco Unified Communications Manager

链接:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.shtml

来源: SECTRACK

名称: 1018533

链接:http://securitytracker.com/id?1018533

来源: SECUNIA

名称: 26363

链接:http://secunia.com/advisories/26363

来源: OVAL

名称: oval:org.mitre.oval:def:5781

链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5781

来源: OSVDB

名称: 36676

链接:http://osvdb.org/36676

来源: OSVDB

名称: 36675

链接:http://osvdb.org/36675

来源: OSVDB

名称: 36674

链接:http://osvdb.org/36674

来源: OSVDB

名称: 36673

链接:http://osvdb.org/36673

来源: OSVDB

名称: 36672

链接:http://osvdb.org/36672

来源: OSVDB

名称: 36671

链接:http://osvdb.org/36671

来源: OSVDB

名称: 36670

链接:http://osvdb.org/36670

来源: XF

名称: cisco-ios-sip-dos(35890)

链接:http://xforce.iss.net/xforce/xfdb/35890

来源: VUPEN

名称: ADV-2007-2816

链接:http://www.frsirt.com/english/advisories/2007/2816

补丁

    暂无

漏洞信息快速查询

相关漏洞

更多