漏洞信息详情
Cisco Unified Communications Manager及iOS 语音服务拒绝服务漏洞
- CNNVD编号:CNNVD-200708-150
- 危害等级: 超危
- CVE编号: CVE-2007-4294
- 漏洞类型: 其他
- 发布时间: 2007-08-09
- 威胁类型: 远程
- 更新时间: 2009-03-04
- 厂 商: cisco
- 漏洞来源: Cisco安全公告
漏洞简介
Cisco iOS是Cisco网络设备中所使用的操作系统。
Cisco iOS在处理各类协议报文时存在漏洞,远程攻击者可能利用这些漏洞导致设备不可用。
如果向运行Cisco iOS或Cisco Unified Communications Manager的网络设备发送了畸形的SIP报文的话,就可能导致拒绝服务或执行任意代码;此外如果运行Cisco iOS的网络设备接收到了畸形的MGCP报文、H.323报文、RTP报文,或在接收传真时收到了很大的报文,都可能导致服务崩溃或路由器挂起。
漏洞公告
Cisco已经为此发布了一个安全公告(cisco-sa-20070808-iOS-voice)以及相应补丁:
cisco-sa-20070808-iOS-voice:Voice Vulnerabilities in Cisco iOS and Cisco Unified Communications Manager
http://www.cisco.com/warp/public/707/cisco-sa-20070808-iOS-voice.sHTML
临时解决方法:
*应用以下基础架构ACL(iACL):
!-- Permit SIP, MGCP, H.323 and RTP services from trusted hosts destined
!-- to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5060
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5061
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5060
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 5061
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2427
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 1720
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 11720
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 2517
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK range 16384 32767
!-- Deny SIP, MGCP, H.323 and RTP packets from all other sources destined
!-- to infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5060
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 5061
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5060
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 5061
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2427
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 1720
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 11720
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 2517
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK range 16384 32767
!-- Permit all other traffic to transit the device.
access-list 150 permit ip any any
interface serial 2/0
ip access-group 150 in
*应用以下控制面整型(CoPP):
!-- Deny SIP, MGCP, H.323 and RTP traffic from trusted hosts to all
!-- IP addresses configured on all interfaces of the affected device
!-- so that it will be allowed by the CoPP feature.
access-list 111 deny tcp host 192.168.100.1 any eq 5060
access-list 111 deny tcp host 192.168.100.1 any eq 5061
access-list 111 deny udp host 192.168.100.1 any eq 5060
access-list 111 deny udp host 192.168.100.1 any eq 5061
access-list 111 deny udp host 192.168.100.1 any eq 2427
access-list 111 deny tcp host 192.168.100.1 any eq 1720
access-list 111 deny tcp host 192.168.100.1 any eq 11720
access-list 111 deny udp host 192.168.100.1 any eq 2517
access-list 111 deny udp host 192.168.100.1 any range 16384 32767
!-- Permit all other SIP, MGCP, H.323 and RTP traffic sent to all
!-- IP addresses configured on all interfaces of the affected device
!-- so that it will be policed and dropped by the CoPP feature.
access-list 111 permit tcp any any eq 5060
access-list 111 permit tcp any any eq 5061
access-list 111 permit udp any any eq 5060
access-list 111 permit udp any any eq 5061
access-list 111 permit udp any any eq 2427
access-list 111 permit tcp any any eq 1720
access-list 111 permit tcp any any eq 11720
access-list 111 permit udp any any eq 2517
access-list 111 permit udp any any range 16384 32767
!-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and Layer 4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-voice-class
match access-group 111
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map drop-voice-traffic
class drop-voice-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input drop-voice-traffic
请注意在Cisco iOS的12.2S 和12.0S软件系列中policy-map句法有所不同:
policy-map drop-voice-traffic
class drop-voice-c
参考网址
来源: BID
名称: 25239
链接:http://www.securityfocus.com/bid/25239
来源: CISCO
名称: 20070808 Voice Vulnerabilities in Cisco iOS and Cisco Unified Communications Manager
链接:http://www.cisco.com/en/US/products/products_security_advisory09186a0080899653.sHTML
来源: SECTRACK
名称: 1018538
链接:http://securitytracker.com/id?1018538
来源: SECUNIA
名称: 26362
链接:http://secunia.com/advisories/26362
来源: OVAL
名称: oval:org.mitre.oval:def:5851
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5851
来源: OSVDB
名称: 36693
链接:http://osvdb.org/36693
来源: VUPEN
名称: ADV-2007-2816
链接:http://www.frsirt.com/english/advisories/2007/2816
受影响实体
补丁
暂无
评论