Cisco IOS Service Assurance Agent畸形包远程拒绝服务攻击漏洞
信息提供:
安全公告(或线索)提供热线:51cto.editor@gmail.com漏洞类别:
有效性检查错误攻击类型:
拒绝服务攻击发布日期:
2003-05-15更新日期:
2003-05-20受影响系统:
Cisco 1000
Cisco 12000
Cisco 1400
Cisco 1500
Cisco 1600
Cisco 1700
Cisco 2500
Cisco 2600
Cisco 3000
Cisco 3600
Cisco 3800
Cisco 4000
Cisco 4500
Cisco 4700
Cisco 6400
Cisco 6400
Cisco 6400 NRP2
Cisco 7000
Cisco 7200
Cisco 800
Cisco IOS 12.2 YH
Cisco IOS 12.2 YG
Cisco IOS 12.2 YF
Cisco IOS 12.2 YC
Cisco IOS 12.2 YB
Cisco IOS 12.2 YA
Cisco IOS 12.2 XM
Cisco IOS 12.2 XL
Cisco IOS 12.2 XK
Cisco IOS 12.2 XJ
Cisco IOS 12.2 XI
Cisco IOS 12.2 XH
Cisco IOS 12.2 XE
Cisco IOS 12.2 XD
Cisco IOS 12.2 XC
Cisco IOS 12.2 S
Cisco IOS 12.2 MB
Cisco IOS 12.2 DA
Cisco IOS 12.2 BZ
Cisco IOS 12.2 BY
Cisco IOS 12.2 BC
Cisco IOS 12.2 (7a)
Cisco IOS 12.2 (7)DA
Cisco IOS 12.2 (7)
Cisco IOS 12.2 (4)B
Cisco IOS 12.2
Cisco IOS 12.1 YC
Cisco IOS 12.1 YB
Cisco IOS 12.1 XG
Cisco IOS 12.1 XF
Cisco IOS 12.1 EY
Cisco IOS 12.1 EX
Cisco IOS 12.1 EW
Cisco IOS 12.1 EC
Cisco IOS 12.1 EA
Cisco IOS 12.1 E
Cisco IOS 12.1 (12b)
Cisco IOS 12.1 (11b)
Cisco IOS 12.1 (11)
Cisco IOS 12.1 (10a)
Cisco IOS 12.1 (10)E
Cisco IOS 12.1 (10)E
Cisco IOS 12.1 (10)E
Cisco IOS 12.1
Cisco IOS 12.0 XE
Cisco IOS 12.0 WC
Cisco IOS 12.0 SY
Cisco IOS 12.0 SX
Cisco IOS 12.0 ST
Cisco IOS 12.0 SP
Cisco IOS 12.0 SL
Cisco IOS 12.0 SC
Cisco IOS 12.0 S
Cisco IOS 12.0 (21)S
Cisco IOS 12.0 (21)S
Cisco IOS 12.0 (21)S
Cisco IOS 12.0 (19)S
Cisco IOS 12.0 (19)S
Cisco IOS 12.0 (18)S
Cisco IOS 12.0 (17)S
Cisco Router 770.0
Cisco Router 760.0
Cisco Router 7500.0
Cisco Router 750.0
Cisco Router 7200.0
Cisco Router 7100.0
Cisco Router 6600.0
Cisco Router 4000.0
Cisco Router 3660.0
Cisco Router 3600.0
Cisco Router 2600.0
Cisco Router 2500.0安全系统:
无
漏洞报告人:
Cisco Security Advisory漏洞描述:
BUGTRAQ ID: 7607
Service Assurance Agent (SAA)在CISCO系统中是原来"响应时间报告器Response Time Reporter (RTR)"的新名称。
CISCO路由器在处理畸形Service Assurance Agent包时存在问题,远程攻击者可以利用这个漏洞对设备进行拒绝服务攻击。
RTR答应用户监视网络性能,网络资源和通过衡量响应时间来判定应用程序性能,利用这个特征可以进行故障排除,问题通告,问题分析等操作。攻击者通过发送畸形Service Assurance Agent包,可导致使用RTR的设备崩溃,停止对正常通信的响应。
要验证是否似乎用了RTR responder,可使用如下命令验证:
Router>show rtr responder
RTR Responder is: Enabled
Number of control messages received: 0 Number of errors: 0
Recent sources:
Recent error sources:
假如注重到 有"RTR Responder is: Enabled," 一行,说明你的设备存在此漏洞。
用户也可以使用如下过程:
Router>show ip socket
show ip socket
Proto Remote Port Local Port In Out Stat TTY OutputIF
....
17 0.0.0.0 0 10.0.0.1 1967 0 0 89 0
注重到假如路由器监听1967端口,说明你的设备存在此漏洞。
此漏洞CISCO BUG ID为:CSCdx17916和CSCdx61997。
测试方法:
无解决方法:
临时解决方法:
假如您不能马上安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 使用如下命令不使用RTR:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#no rtr responder
Router(config)#exit
Router#copy running-config startup-config
或设置规则过滤来自不信任网络到UDP 1967的端口:
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#Access-list 101 deny udp any any eq 1967
Router(config)#interface eth0
Router(config)#ip access-group 101 in
厂商补丁:
Cisco
-----
Cisco已经为此发布了一个安全公告(cisco-sa-20030515-saa)以及相应补丁:
cisco-sa-20030515-saa:Cisco Security Advisory:燙isco Security Advisory: Cisco IOS Software Processing of SAA Packets
链接:http://www.cisco.com/warp/public/707/cisco-sa-20030515-saa.sHtml
联系供给商升级固件:
Cisco IOS 12.0 XE:
Cisco Upgrade IOS 12.2
Cisco IOS 12.0 WC:
Cisco Upgrade IOS 12.0(5)WCa
http://www.cisco.com/
Cisco IOS 12.0 SY:
Cisco Upgrade IOS 12.0(22)SY
http://www.cisco.com/
Cisco IOS 12.0 ST:
Cisco Upgrade IOS 12.0(19)ST5
Cisco Upgrade IOS 12.0(21)ST2
Cisco IOS 12.0 SL:
Cisco Upgrade IOS 12.0ST
Cisco Upgrade IOS 12.0S
Cisco IOS 12.0 SC:
Cisco Upgrade IOS 12.1EC
Cisco IOS 12.0 S:
Cisco Upgrade IOS 12.0(21)S3
Cisco IOS 12.1 YC:
Cisco Upgrade IOS 12.1(4)T
http://www.cisco.com/
Cisco IOS 12.1 YB:
Cisco Upgrade IOS 12.1(2)T
http://www.cisco.com/
Cisco IOS 12.1 XG:
Cisco Upgrade IOS 12.2
Cisco Upgrade IOS 12.1(1)T
http://www.cisco.com/
Cisco IOS 12.1 XF:
Cisco Upgrade IOS 12.2
Cisco IOS 12.1 EX:
Cisco Upgrade IOS 12.1(11b)EX
http://www.cisco.com/
Cisco IOS 12.1 EW:
Cisco Upgrade IOS 12.1(11b)EW(0.46)
http://www.cisco.com/
Cisco Upgrade IOS 12.1(11b)EW
http://www.cisco.com/
Cisco IOS 12.1 EC:
Cisco Upgrade IOS 12.1(12c)EC
http://www.cisco.com/
Cisco IOS 12.1 EA:
Cisco Upgrade IOS 12.1(8)EA1c
http://www.cisco.com/
Cisco IOS 12.1 E:
Cisco Upgrade IOS 12.1(13)E
http://www.cisco.com/
Cisco IOS 12.1:
Cisco Upgrade IOS 12.1(18)
Cisco IOS 12.2 YH:
Cisco Upgrade IOS 12.2(4)YH
http://www.cisco.com/tac
Cisco IOS 12.2 YG:
Cisco Upgrade IOS 12.2(4)YG
http://www.cisco.com/tac
Cisco IOS 12.2 YC:
Cisco Upgrade IOS 12.2(4)YC4
http://www.cisco.com/tac
Cisco IOS 12.2 YA:
Cisco Upgrade IOS 12.2(4)YA3
http://www.cisco.com/tac
Cisco IOS 12.2 XL:
Cisco Upgrade IOS 12.2(4)XL5
http://www.cisco.com/tac
Cisco IOS 12.2 XK:
Cisco Upgrade IOS 12.2(2)XK3
http://www.cisco.com/tac
Cisco IOS 12.2 XC:
Cisco Upgrade IOS 12.2(1a)XC5
http://www.cisco.com/tac
Cisco IOS 12.2 S:
Cisco Upgrade IOS 12.2(11.1)S
http://www.cisco.com/tac
Cisco IOS 12.2 MB:
Cisco Upgrade IOS 12.2(4)MB5
http://www.cisco.com/tac
Cisco IOS 12.2 DA:
Cisco Upgrade IOS 12.2(12)DA
http://www.cisco.com/tac
Cisco IOS 12.2 BZ:
Cisco Upgrade IOS 12.2(15)BZ
http://www.cisco.com/tac
Cisco IOS 12.2 (4)B:
Cisco Upgrade IOS 12.2(13.3)B
http://www.cisco.com/tac
Cisco IOS 12.2:
Cisco Upgrade IOS 12.2(10)
http://www.cisco.com/tac
Cisco为所有受影响客户提供免费的软件升级来修正这些漏洞,客户只能获得和安装他们所购买的功能类别相关的技术支持。通过安装,下载,访问或使用这些软件升级,客户必须同意CISCO软件许可条例中的条例:
http://www.cisco.com/public/sw-license-agreement.html
或由Cisco连接在线软件中心的声明:
http://www.cisco.com/public/sw-center/sw-usingswc.shtm.
拥有服务合同的客户必须连接他们常规升级渠道获得由此公告指定的免费升级软件。对于大多数拥有服务合同的客户,这意味着升级必须通过CISCO全球WEB站软件中心获得:
http://www.cisco.com/tacpage/sw-center/.
要访问此下载URL,你必须是注册用户和必须登录后才能使用。
事先或目前与第三方支持组织,如Cisco合作伙伴、授权零售商或服务商之间已有协议,由第三方组织提供Cisco产品或技术支持的用户可免费获得升级支持。
直接从Cisco购买产品但没有Cisco服务合同的用户和由第三方厂商购买产品但无法从销售方获得已修复软件的用户可从Cisco技术支持中心(TAC)获取升级软件。TAC联系方法:
* +1 800 553 2447 (北美地区免话费)
* +1 408 526 7209 (全球收费)
* e-mail: tac@cisco.com
查看 http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml 获取额外的TAC联系信息,包括非凡局部的电话号码,各种语言的指南和EMAIL地址。