Cisco IOS SIP 远程代码执行漏洞(CVE-2010-0580)

Cisco IOS是思科网络设备所使用的互联网操作系统。

 

Cisco IOS Software的SIP实现中存在安全漏洞，可能允许远程攻击者导致设备重载或执行任意代码。当运行Cisco IOS Software的设备处理畸形SIP消息时可以触发这些漏洞。

 

在SIP运行在TCP传输的情况下，必须完成三重握手才可以利用这些漏洞。

 

 

 

解决方法

 

临时处理办法:

 

* 对于不需要启用SIP的设备，最简单有效的临时解决方案就是在设备上禁止处理SIP。一些Cisco IOS Software版本上允许管理员通过以下命令禁用SIP：

   

    sip-ua

     no transport udp

     no transport tcp

     no transport tcp tls

   

*  对于需要提供SIP服务的设备，可使用控制面整形（CoPP）阻断不可信任来源到设备的SIP通讯。可在网络中应用以下示例：

    

    !-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.

    !-- Everything else is not trusted. The following access list is used

    !-- to determine what traffic needs to be dropped by a control plane

    !-- policy (the CoPP feature.) If the access list matches (permit)

    !-- then traffic will be dropped and if the access list does not

    !-- match (deny) then traffic will be processed by the router.

    

    access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060

    access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060

    access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5061

    access-list 100 deny udp host 172.16.1.1 any eq 5060

    access-list 100 deny tcp host 172.16.1.1 any eq 5060

    access-list 100 deny tcp host 172.16.1.1 any eq 5061

    access-list 100 permit udp any any eq 5060

    access-list 100 permit tcp any any eq 5060

    access-list 100 permit tcp any any eq 5061

    

    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4

    !-- traffic in accordance with existing security policies and

    !-- configurations for traffic that is authorized to be sent

    !-- to infrastructure devices.

    !-- Create a Class-Map for traffic to be policed by

    !-- the CoPP feature.

    

    class-map match-all drop-sip-class

      match access-group 100

    

    !-- Create a Policy-Map that will be applied to the

    !-- Control-Plane of the device.

    

    policy-map control-plane-policy

     class drop-sip-class

      drop

    

    !-- Apply the Policy-Map to the Control-Plane of the

    !-- device.

    

    control-plane

     service-policy input control-plane-policy

 

厂商解决方案:

 

Cisco

-----

Cisco已经为此发布了一个安全公告（cisco-sa-20100324-sip）以及相应补丁:

cisco-sa-20100324-sip：Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerabilities

链接：http://www.cisco.com/warp/public/707/cisco-sa-20100324-sip.shtml