BUGTRAQ ID: 36499
CVE ID: CVE-2009-2870
Cisco IOS是思科网络设备所使用的互联网操作系统。
如果设备运行的Cisco IOS镜像中包含有Cisco Unified Border Element功能,则Cisco IOS软件的SIP实现中存在拒绝服务漏洞。处理一系列特制的SIP消息会导致设备重载。
Cisco IOS 12.4
Cisco IOS 12.3
临时解决方法:
禁用SIP监听端口
sip-ua
no transport udp
no transport tcp
no transport tcp tls
部署以下控制面整型(CoPP)
!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5061
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
access-list 100 permit tcp any any eq 5061
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map drop-sip-traffic
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input drop-sip-traffic
厂商补丁:
Cisco已经为此发布了一个安全公告(cisco-sa-20090923-sip)以及相应补丁:
cisco-sa-20090923-sip:Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
链接:http://www.cisco.com/warp/public/707/cisco-sa-20090923-sip.shtml