Cisco IOS FTP Server非授权访问及拒绝服务漏洞

2007-05-11T00:00:00
ID SSV:1737
Type seebug
Reporter Root
Modified 2007-05-11T00:00:00

Description

Cisco IOS是Cisco网络设备所使用的操作系统。

Cisco IOS所带的FTP Server处理访问请求时存在漏洞,远程攻击者可能利用此漏洞非授权访问系统文件或导致拒绝服务。

启用了IOS FTP Server功能的Cisco IOS没有正确检查用户授权,可能允许攻击者非授权读写设备文件系统中的任意文件,包括设备保存的配置,其中可能有口令或其他敏感信息;此外这种配置的Cisco IOS还可能导致在通过FTP传输文件时IOS重载。

Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco IOS 12.1 Cisco IOS 12.0 临时解决方法:

  • 通过向设备配置中添加以下命令禁用IOS FTP Server功能:

    no ftp-server enable

  • 选用其他文件传输方式,如安全拷贝(SCP)或使用简单文件传输协议(TFTP)服务器。

  • 如下配置基础架构ACL(iACL):

    !--- Permit FTP services from trusted hosts destined !--- to infrastructure addresses.

    access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 21 access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 20

    !--- Deny FTP packets from all other sources destined to infrastructure addresses.

    access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 21 access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 20

    !--- Permit all other traffic to transit the device.

    access-list 150 permit IP any any

    interface serial 2/0 ip access-group 150 in

  • 如下配置接收ACL(rACL):

!--- Permit FTP from trusted hosts allowed to the RP.

access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 20


!--- Deny FTP from all other sources to the RP.


access-list 151 deny   tcp any any eq 21
access-list 151 deny   tcp any any eq 20


!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.


access-list 151 permit ip any any


!--- Apply this access list to the 'receive' path.


ip receive access-list 151
  • 如下配置控制面板:
    access-list 152 deny   tcp TRUSTED_ADDRESSES MASK any eq 21
    access-list 152 deny   tcp TRUSTED_ADDRESSES MASK any eq 20
    access-list 152 permit tcp any any eq 20
    access-list 152 permit tcp any any eq 21
    access-list 152 deny    ip any any
    !
    class-map match-all COPP-KNOWN-UNDESIRABLE
     match access-group 152
    !
    !
    policy-map COPP-INPUT-POLICY
     class COPP-KNOWN-UNDESIRABLE
      drop
    !
    control-plane
     service-policy input COPP-INPUT-POLICY
    

厂商补丁:

Cisco

Cisco已经为此发布了一个安全公告(cisco-sa-20070509-iosftp)以及相应补丁: cisco-sa-20070509-iosftp:Multiple Vulnerabilities in the IOS FTP Server 链接:<a href="http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml</a>