自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

Cisco IOS SSL連接遠(yuǎn)程拒絕服務(wù)漏洞

作者:佚名
網(wǎng)絡(luò)
Cisco IOS在處理SSL會話連接時(shí)存在漏洞,遠(yuǎn)程攻擊者可能利用此漏洞導(dǎo)致設(shè)備拒絕服務(wù)。

受影響系統(tǒng):

Cisco IOS 12.4

Cisco IOS 12.3

Cisco IOS 12.2

Cisco IOS 12.1

Cisco IOS 12.0

描述:

BUGTRAQ ID: 24097

Cisco IOS是Cisco網(wǎng)絡(luò)設(shè)備所使用的操作系統(tǒng)。

Cisco IOS在處理SSL會話連接時(shí)存在漏洞,遠(yuǎn)程攻擊者可能利用此漏洞導(dǎo)致設(shè)備拒絕服務(wù)。

如果配置為使用SSL協(xié)議協(xié)議的話,Cisco IOS設(shè)備在處理畸形SSL報(bào)文時(shí)可能崩潰。如果要觸發(fā)這些漏洞,惡意的客戶端必須在與有漏洞設(shè)備交換SSL協(xié)議期間發(fā)送畸形的ClientHello、ChangeCipherSpec或Finished報(bào)文。

攻擊者可以在創(chuàng)建TCP連接后但交換認(rèn)證憑據(jù)(如用戶名/口令或證書)之前觸發(fā)這些漏洞,要求完成TCP三重握手降低了通過使用偽造IP地址利用這些漏洞的概率。如果已經(jīng)創(chuàng)建了SSL會話的話,攔截兩臺受影響設(shè)備之間通訊的攻擊者無法利用這個(gè)漏洞,因?yàn)镾SL可以防范這種注入。但是,這種攻擊可以通過TCP RST不正常的終止已有的會話,然后攻擊者可以等待創(chuàng)建新的SSL會話并在新的SSL會話開始時(shí)注入惡意報(bào)文,以此觸發(fā)漏洞。

◆來源:Cisco安全公告

鏈接:http://secunia.com/advisories/25361/

http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

建議:

臨時(shí)解決方法:

◆如下配置控制面整型(CoPP):

! Include deny statements up front for any protocols/ports/IP addresses that
!-- should not be impacted by CoPP
! Include permit statements for the protocols/ports that will be governed by CoPP
access-list 100 permit tcp any any eq 443
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
!
class-map match-all drop-SSL-class
match access-group 100
!
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
!
policy-map drop-SSL-policy
class drop-SSL-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
!
control-plane
service-policy input drop-SSL-policy

請注意在12.0S、12.2S和12.2SX Cisco IOS系列中,policy-map句法有所不同,如下所示:

policy-map drop-SSL-policy
class drop-SSL-class
police 32000 1500 1500 conform-action drop exceed-action drop

◆如下配置ACL:

access-list 101 permit tcp host host port 443
access-list 101 deny tcp any any port 443

廠商補(bǔ)?。?/p> 

Cisco
-----

Cisco發(fā)布了一個(gè)安全公告(cisco-sa-20070522-SSL)以及相應(yīng)補(bǔ)丁:

cisco-sa-20070522-SSL:Multiple Vulnerabilities in Cisco IOS While
Processing SSL Packets
 

鏈接:http://www.cisco.com/warp/public/707/cisco-sa-20070522-SSL.shtml

責(zé)任編輯:許鳳麗 來源: 比特網(wǎng)
CiscoIOS
相關(guān)推薦

2011-03-03 11:26:09

2009-07-01 09:22:33

2009-10-29 13:24:41

2010-01-12 11:58:14

Cisco防火墻拒絕服務(wù)漏洞

2009-10-21 14:31:15

漏洞補(bǔ)丁

2017-02-16 14:22:24

2010-10-09 14:59:30

2009-02-03 09:06:26

2009-10-22 11:28:38

2009-10-24 10:29:56

2011-02-24 09:21:31

2009-12-03 14:52:27

2017-02-07 11:00:26

2009-10-27 14:17:49

2011-12-29 09:21:09

TomcatHashtable

2013-05-17 10:43:32

2009-10-29 12:27:54

2009-10-25 12:40:29

2009-10-22 11:36:55

漏洞補(bǔ)丁

2009-10-28 10:36:38

點(diǎn)贊
收藏

51CTO技術(shù)棧公眾號