Cisco IOS IPv6路由头信息泄露及拒绝服务漏洞 |
|
受影响系统:
Cisco IOS XR 3.x Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 描述: Cisco IOS是Cisco网络设备中所使用的操作系统。 Cisco IOS和Cisco IOS XR在处理包含Type 0路由头的特制IPv6报文时存在漏洞,可能导致在受影响的IOS和IOS XR设备上出现信息泄露或受影响的IOS设备崩溃。 成功利用本文所述漏洞会导致在IPv6报文头中目标IPv6地址与距离报文缓冲区内存16字节处相互交换内存,这样就以IPv6目标地址的形式从缓冲区内存泄露数据,通过这个漏洞所访问的内存不会高于报文头起始处1500个字节。对于运行Cisco IOS的设备,最严重的情况是IOS设备完全崩溃;对于运行Cisco IOS XR的设备,成功攻击不会导致整个设备崩溃,而是导致IPv6子系统重启。反复的成功攻击会导致所有使用IPv6做为传输协议的所有上层服务持续的拒绝服务,但不是整个设备拒绝服务。 <*来源:Tom Cross 链接:http://secunia.com/advisories/26359/ http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml *> 建议: 临时解决方法: * 应用以下控制面整型(CoPP): !-- Permit all IPv6 Routing Header Type 0 (Source Route) packets !-- sent to any IPv6 address configured on interfaces of the !-- affected device or IPv6 link-local addresses. This traffic !-- will be policed and dropped by the CoPP feature. ! ipv6 access-list DENY-IPv6-RH0 permit ipv6 any any routing-type 0 ! !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by the CoPP feature. ! class-map match-all drop-IPv6-RH0-class match access-group name DENY-IPv6-RH0 ! !-- Create a Policy-Map that will be applied to the Control-Plane of !-- the device. policy-map drop-IPv6-RH0-traffic 原文出自【比特网】,转载请保留原文链接:http://sec.chinabyte.com/266/11437766.shtml |
|
class drop-IPv6-RH0-class
drop ! !-- Apply the Policy-Map to the Control-Plane of the device. control-plane service-policy input drop-IPv6-RH0-traffic ! * 没有部署移动IPv6的Cisco IOS设备 对于IOS 12.2(15)T之前版本,使用ACL过滤所有包含有路由头的报文: Router(config)#ipv6 access-list deny-sourcerouted Router(config-ipv6-acl)#deny ipv6 any routing Router(config-ipv6-acl)#deny ipv6 any routing Router(config-ipv6-acl)#permit ipv6 any any Router(config-ipv6-acl)#exit Router(config)#interface Ethernet0 Router(config-if)#ipv6 traffic-filter deny-sourcerouted in * 部署了移动IPv6的Cisco IOS设备 IOS 12.2(15)T之后版本使用ipv6 source-route命令: Router(config)#no ipv6 source-route IOS 12.4(2)T版本中IPv6 ACL中添加了新的关键字routing-type,可用于有选择性的允许或拒绝特定的路由类型: Router(config)#ipv6 access-list deny-sourcerouted Router(config-ipv6-acl)#deny ipv6 any routing-type 0 Router(config-ipv6-acl)#permit ipv6 any any Router(config)#interface Ethernet0 Router(config-if)#ipv6 traffic-filter deny-sourcerouted in * 没有部署移动IPv6的Cisco IOS XR设备 使用ACL过滤所有包含有路由头的报文: Router-IOS_XR#configure terminal Router-IOS_XR(config)#ipv6 access-list deny-ipv6-type0-rh Router-IOS_XR(config-ipv6-acl)#deny ipv6 any host 2001:0DB8:12::3 routing Router-IOS_XR(config-ipv6-acl)#permit ipv6 any any Router-IOS_XR(config-ipv6-acl)#exit Router-IOS_XR(config)#interface GigabitEthernet 0/0/0/1 Router-IOS_XR(config-if)#ipv6 access-group deny-ipv6-type0-rh ingress Router-IOS_XR(config-if)#end 厂商补丁: Cisco ----- Cisco发布了一个安全公告(cisco-sa-20070808-IOS-IPv6-leak)以及相应补丁: cisco-sa-20070808-IOS-IPv6-leak:Cisco IOS Information Leakage Using IPv6 Routing Header 链接:http://www.cisco.com/warp/public ... IOS-IPv6-leak.shtml 原文出自【比特网】,转载请保留原文链接:http://sec.chinabyte.com/266/11437766_2.shtml |
丢掉OPENWRT旁网关。ESXi下实现iKuai+OP双7129 人气#黑白群晖
迅雷NAS版の邀请码770 人气#黑白群晖
9月21更新DSM7.2.2AME完美解码!解决Survei27743 人气#黑白群晖
最新版Surveillance Station 9.2.0-11289支12554 人气#黑白群晖
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
