Cisco IOS IPv6路由头信息泄露及拒绝服务漏洞
受影响系统:Cisco IOS XR 3.x
Cisco IOS 12.3
Cisco IOS 12.2
Cisco IOS 12.1
Cisco IOS 12.0
描述:
Cisco IOS是Cisco网络设备中所使用的操作系统。
Cisco IOS和Cisco IOS XR在处理包含Type 0路由头的特制IPv6报文时存在漏洞,可能导致在受影响的IOS和IOS XR设备上出现信息泄露或受影响的IOS设备崩溃。
成功利用本文所述漏洞会导致在IPv6报文头中目标IPv6地址与距离报文缓冲区内存16字节处相互交换内存,这样就以IPv6目标地址的形式从缓冲区内存泄露数据,通过这个漏洞所访问的内存不会高于报文头起始处1500个字节。对于运行Cisco IOS的设备,最严重的情况是IOS设备完全崩溃;对于运行Cisco IOS XR的设备,成功攻击不会导致整个设备崩溃,而是导致IPv6子系统重启。反复的成功攻击会导致所有使用IPv6做为传输协议的所有上层服务持续的拒绝服务,但不是整个设备拒绝服务。
<*来源:Tom Cross
链接:http://secunia.com/advisories/26359/
http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml
*>
建议:
临时解决方法:
* 应用以下控制面整型(CoPP):
!-- Permit all IPv6 Routing Header Type 0 (Source Route) packets
!-- sent to any IPv6 address configured on interfaces of the
!-- affected device or IPv6 link-local addresses. This traffic
!-- will be policed and dropped by the CoPP feature.
!
ipv6 access-list DENY-IPv6-RH0
permit ipv6 any any routing-type 0
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!
!-- Create a Class-Map for traffic to be policed by the CoPP feature.
!
class-map match-all drop-IPv6-RH0-class
match access-group name DENY-IPv6-RH0
!
!-- Create a Policy-Map that will be applied to the Control-Plane of
!-- the device.
policy-map drop-IPv6-RH0-traffic
原文出自【比特网】,转载请保留原文链接:http://sec.chinabyte.com/266/11437766.shtml class drop-IPv6-RH0-class
drop
!
!-- Apply the Policy-Map to the Control-Plane of the device.
control-plane
service-policy input drop-IPv6-RH0-traffic
!
* 没有部署移动IPv6的Cisco IOS设备
对于IOS 12.2(15)T之前版本,使用ACL过滤所有包含有路由头的报文:
Router(config)#ipv6 access-list deny-sourcerouted
Router(config-ipv6-acl)#deny ipv6 any routing
Router(config-ipv6-acl)#deny ipv6 any routing
Router(config-ipv6-acl)#permit ipv6 any any
Router(config-ipv6-acl)#exit
Router(config)#interface Ethernet0
Router(config-if)#ipv6 traffic-filter deny-sourcerouted in
* 部署了移动IPv6的Cisco IOS设备
IOS 12.2(15)T之后版本使用ipv6 source-route命令:
Router(config)#no ipv6 source-route
IOS 12.4(2)T版本中IPv6 ACL中添加了新的关键字routing-type,可用于有选择性的允许或拒绝特定的路由类型:
Router(config)#ipv6 access-list deny-sourcerouted
Router(config-ipv6-acl)#deny ipv6 any routing-type 0
Router(config-ipv6-acl)#permit ipv6 any any
Router(config)#interface Ethernet0
Router(config-if)#ipv6 traffic-filter deny-sourcerouted in
* 没有部署移动IPv6的Cisco IOS XR设备
使用ACL过滤所有包含有路由头的报文:
Router-IOS_XR#configure terminal
Router-IOS_XR(config)#ipv6 access-list deny-ipv6-type0-rh
Router-IOS_XR(config-ipv6-acl)#deny ipv6 any host 2001:0DB8:12::3 routing
Router-IOS_XR(config-ipv6-acl)#permit ipv6 any any
Router-IOS_XR(config-ipv6-acl)#exit
Router-IOS_XR(config)#interface GigabitEthernet 0/0/0/1
Router-IOS_XR(config-if)#ipv6 access-group deny-ipv6-type0-rh ingress
Router-IOS_XR(config-if)#end
厂商补丁:
Cisco
-----
Cisco发布了一个安全公告(cisco-sa-20070808-IOS-IPv6-leak)以及相应补丁:
cisco-sa-20070808-IOS-IPv6-leak:Cisco IOS Information Leakage Using IPv6 Routing Header
链接:http://www.cisco.com/warp/public/707/cisco-sa-20070808-IOS-IPv6-leak.shtml
原文出自【比特网】,转载请保留原文链接:http://sec.chinabyte.com/266/11437766_2.shtml 真正民用IPv6地址的还不多啊,
页:
[1]