发布日期：2007-01-24
更新日期：2007-01-25

受影响系统：

Cisco IOS XR 3.2.X
Cisco IOS XR 3.0.X
Cisco IOS XR 2.0.X
Cisco IOS 12.0-12.4

描述：

---

BUGTRAQ  ID: 22211

Cisco IOS是Cisco设备所使用的操作系统。

Cisco IOS在处理特定畸形的IP报文时存在漏洞，远程攻击者可能利用此漏洞导致设备无法正常工作或在设备上执行任意指令。

如果满足了所有以下3个条件的话：

1. 报文包含有特制的IP选择
2. 报文为以下协议之一：

    * ICMP - Echo (Type 8) - 'ping'
    * ICMP - Timestamp (Type 13)
    * ICMP - Information Request (Type 15)
    * ICMP - Address Mask Request (Type 17)
    * PIMv2 - IP protocol 103
    * PGM - IP protocol 113
    * URD - TCP Port 465

3. 报文发送到受影响设备上所配置的物理或虚拟IPv4地址

则攻击者可以通过发送特制的报文导致运行Cisco IOS或Cisco IOS XR软件且配置为处理IPv4报文的Cisco设备出现拒绝服务的情况或执行任意代码。对于Cisco IOS，成功攻击会导致设备重启或执行任意代码；对于Cisco IOS XR，成功攻击会导致ipv4_io进程重启或执行任意代码，反复攻击会导致CRS-1节点或XR 12000线卡重载。

<*来源：Cisco安全公告
  
  链接：http://www.us-cert.gov/cas/techalerts/TA07-024A.html
        http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml
*>

建议：

---

临时解决方法：

* 使用IP Options Selective Drop功能：
    
    ip options drop

* 应用中间节点访问控制列表（ACL）。以下ACL可阻断攻击通讯，请部署于设备的所有IPv4接口：

    access-list 150 deny   icmp any any echo
    access-list 150 deny   icmp any any information-request
    access-list 150 deny   icmp any any timestamp-request
    access-list 150 deny   icmp any any mask-request
    access-list 150 deny   tcp any any eq 465
    access-list 150 deny   103 any any
    access-list 150 deny   113 any any
    access-list 150 permit ip any any
    
    interface serial 2/0
     ip access-group 150 in

以下Cisco IOS XR ACL可阻断攻击通讯，请部署于设备的所有IPv4接口：

    ipv4 access-list ios-xr-transit-acl
     10 deny   icmp any any echo
     20 deny   icmp any any information-request
     30 deny   icmp any any timestamp-request
     40 deny   icmp any any mask-request
     50 deny   tcp any any eq 465
     60 deny   103 any any
     70 deny   113 any any
     80 permit ip any any
    
    interface POS 0/2/0/
      ipv4 access-group ios-xr-transit-acl ingress
    
* 应用基础架构访问控制列表：

Cisco IOS
+--------

    access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES echo
    access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES information-request
    access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES timestamp-request
    access-list 150 deny   icmp any INFRASTRUCTURE_ADDRESSES mask-request
    access-list 150 deny   tcp any INFRASTRUCTURE_ADDRESSES  eq 465
    access-list 150 deny   103 any INFRASTRUCTURE_ADDRESSES
    access-list 150 deny   113 any INFRASTRUCTURE_ADDRESSES
    access-list 150 permit ip any any
    
    interface serial 2/0
     ip access-group 150 in

Cisco IOS XR
+-----------

    ipv4 access-list ios-xr-infrastructure-acl
     10 deny   icmp any INFRASTRUCTURE_ADDRESSES  echo
     20 deny   icmp any INFRASTRUCTURE_ADDRESSES  information-request
     30 deny   icmp any INFRASTRUCTURE_ADDRESSES  timestamp-request
     40 deny   icmp any INFRASTRUCTURE_ADDRESSES  mask-request
     50 deny   tcp any INFRASTRUCTURE_ADDRESSES  eq 465
     60 deny   103 any INFRASTRUCTURE_ADDRESSES
     70 deny   113 any INFRASTRUCTURE_ADDRESSES
     80 permit ip any any
    
    interface POS 0/2/0/2
      ipv4 access-group ios-xr-infrastructure-acl ingress

* 应用接收访问控制列表：

    access-list 101 deny   icmp any any echo
    access-list 101 deny   icmp any any information-request
    access-list 101 deny   icmp any any timestamp-request
    access-list 101 deny   icmp any any mask-request
    access-list 101 deny   tcp any any eq 465
    access-list 101 deny   103 any any
    access-list 101 deny   113 any any
    access-list 101 permit ip any any
    !
    ip receive access-list 101

* 控制台整形（CoPP）。下面的CoPP示例拒绝所有可以利用这个漏洞的报文而允许其他IP通讯：

    access-list 100 permit icmp any any echo
    access-list 100 permit icmp any any information-request
    access-list 100 permit icmp any any timestamp-request
    access-list 100 permit icmp any any mask-request
    access-list 100 permit tcp any any eq 465
    access-list 100 permit 103 any any
    access-list 100 permit 113 any any
    access-list 100 deny   ip any any
    !
    class-map match-all drop-options-class
     match access-group 100
    !
    !
    policy-map drop-options-policy
     class drop-options-class
       drop
    !    
    control-plane
     service-policy input drop-options-policy

请注意Cisco IOS的12.0S、12.2S和12.2SX系列的policy-map句法略有不同：

    policy-map drop-options-policy
     class drop-options-class
     police 32000 1500 1500 conform-action drop exceed-action drop

下面的示例拒绝发送给或通过路由器的带有利用该漏洞IP选项的报文，而其他IP通讯不受影响：

    ip access-list extended drop-affected-options
     permit icmp any any echo option any-options
     permit icmp any any information-request option any-options
     permit icmp any any timestamp-request option any-options
     permit icmp any any mask-request option any-options
     permit pim any any option any-options
     permit 113 any any option any-options
     permit tcp any any eq 465 option any-options
     deny ip any any
    !
    class-map match-all drop-options-class
     match access-group name drop-affected-options
    !
    !
    policy-map drop-opt-policy
     class drop-options-class
      drop
    !
    control-plane
     service-policy input drop-opt-policy

请注意Cisco IOS的12.2S系列的policy-map句法略有不同：

    policy-map drop-opt-policy
     class drop-options-class
      police 32000 1500 1500 conform-action drop exceed-action drop

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20070124-crafted-ip-option）以及相应补丁:
cisco-sa-20070124-crafted-ip-option：Crafted IP Option Vulnerability
链接：http://www.cisco.com/warp/public/707/cisco-sa-20070124-crafted-ip-option.shtml

浏览次数：25682
严重程度：0（网友投票）