分类:
2008-10-27 14:23:37
发布日期:2007-09-25
更新日期:2007-09-27
受影响系统:
Catalyst 6500
7600
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 25822
Cisco Catalyst是一系列由Cisco公司发表和维护的商业级别机。
Catalyst 6500和Cisco 7600系列设备在处理环回地址时存在漏洞,远程攻击者可能利用此绕过某些验证获得非授权访问。
Catalyst 6500和Cisco 7600系列设备使用以太网带外信道(EOBC)中127.0.0.0/8(环回)范围的地址进行内部通讯,可以从系统外部访问EOBC中所使用的这个范围的地址。Supervisor模块、多层功能卡(MSFC)或任何其他智能模块可能接受并处理目标为127.0.0.0/8网络的报文,攻击者可以利用这种行为绕过没有过滤127.0.0.0/8地址范围的访问控制列表,但无法绕过认证或授权。
<*来源:Lee E. Rian
链接:
*>
建议:
--------------------------------------------------------------------------------
临时解决方法:
* 应用访问控制列表过滤到127.0.0.0/8地址范围的报文:
ip access-list extended block_loopback
deny ip any 127.0.0.0 0.255.255.255
permit ip any any
interface Vlan x
ip access-group block_loopback in
* 应用以下控制面整型(CoPP):
!-- Permit all traffic with a destination IP
!-- addresses in the 127.0.0.0/8 address range sent to
!-- the affected device so that it will be policed and
!-- dropped by the CoPP feature
!
access-list 111 permit icmp any 127.0.0.0 0.255.255.255
access-list 111 permit udp any 127.0.0.0 0.255.255.255
access-list 111 permit tcp any 127.0.0.0 0.255.255.255
access-list 111 permit ip any 127.0.0.0 0.255.255.255
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3
!-- and Layer4 traffic in accordance with existing security
!-- policies and configurations for traffic that is authorized
!-- to be sent to infrastructure devices
!
!-- Create a Class-Map for traffic to be policed by the
!-- CoPP feature
!
class-map match-all drop-127/8-netblock-class
match access-group 111
!
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
!
policy-map drop-127/8-netblock-traffic
class drop-127/8-netblock-class
police 32000 1500 1500 conform-action drop exceed-action drop
!
!-- Apply the Policy-Map to the Control-Plane of the
!-- device
!
control-plane
service-policy input drop-127/8-netblock-traffic
! |
Cisco
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
