ZeroBox Vulnerability Database

漏洞起因
设计错误
危险等级
中
 
影响系统
Cisco IOS XE 2.5
Cisco IOS 15.0M
Cisco IOS 12.4YB
Cisco IOS 12.4YA
Cisco IOS 12.4XZ
Cisco IOS 12.4XY
Cisco IOS 12.4XW
Cisco IOS 12.4XV
Cisco IOS 12.4XT
Cisco IOS 12.4XP
Cisco IOS 12.4XM
Cisco IOS 12.4XL
Cisco IOS 12.4XJ
Cisco IOS 12.4XE
Cisco IOS 12.4XD
Cisco IOS 12.4XC
Cisco IOS 12.4XB
Cisco IOS 12.4XA
Cisco IOS 12.4T
Cisco IOS 12.4MR
Cisco IOS 12.4GC
Cisco IOS 12.4
Cisco IOS 12.3ZA
Cisco IOS 12.3YZ
Cisco IOS 12.3YX
Cisco IOS 12.3YU
Cisco IOS 12.3YT
Cisco IOS 12.3YS
Cisco IOS 12.3YQ
Cisco IOS 12.3YM
Cisco IOS 12.3YK
Cisco IOS 12.3YG
Cisco IOS 12.3YF
Cisco IOS 12.3XZ
Cisco IOS 12.3XY
Cisco IOS 12.3XX
Cisco IOS 12.3XW
Cisco IOS 12.3XU
Cisco IOS 12.3XR
Cisco IOS 12.3XQ
Cisco IOS 12.3XL
Cisco IOS 12.3XK
Cisco IOS 12.3XJ
Cisco IOS 12.3XI
Cisco IOS 12.3XG
Cisco IOS 12.3XF
Cisco IOS 12.3XE
Cisco IOS 12.3XD
Cisco IOS 12.3XC
Cisco IOS 12.3XB
Cisco IOS 12.3XA
Cisco IOS 12.3TPC
Cisco IOS 12.3T
Cisco IOS 12.3JK
Cisco IOS 12.3B
Cisco IOS 12.3
Cisco IOS 12.2ZP
Cisco IOS 12.2ZL
Cisco IOS 12.2ZJ
Cisco IOS 12.2ZH
Cisco IOS 12.2ZF
Cisco IOS 12.2ZE
Cisco IOS 12.2ZD
Cisco IOS 12.2ZC
Cisco IOS 12.2ZB
Cisco IOS 12.2YY
Cisco IOS 12.2YW
Cisco IOS 12.2YV
Cisco IOS 12.2YU
Cisco IOS 12.2YT
Cisco IOS 12.2YN
Cisco IOS 12.2YM
Cisco IOS 12.2YL
Cisco IOS 12.2YJ
Cisco IOS 12.2YH
Cisco IOS 12.2YF
Cisco IOS 12.2YD
Cisco IOS 12.2YC
Cisco IOS 12.2YB
Cisco IOS 12.2YA
Cisco IOS 12.2XW
Cisco IOS 12.2XV
Cisco IOS 12.2XU
Cisco IOS 12.2XT
Cisco IOS 12.2XQ
Cisco IOS 12.2XNF
Cisco IOS 12.2XNE
Cisco IOS 12.2XND
Cisco IOS 12.2XNC
Cisco IOS 12.2XNB
Cisco IOS 12.2XNA
Cisco IOS 12.2XM
Cisco IOS 12.2XL
Cisco IOS 12.2XK
Cisco IOS 12.2XJ
Cisco IOS 12.2XI
Cisco IOS 12.2XH
Cisco IOS 12.2XG
Cisco IOS 12.2XD
Cisco IOS 12.2XC
Cisco IOS 12.2XB
Cisco IOS 12.2XA
Cisco IOS 12.2TPC
Cisco IOS 12.2T
Cisco IOS 12.2MC
Cisco IOS 12.2CZ
Cisco IOS 12.2BY
Cisco IOS 12.2BX
Cisco IOS 12.2BW
Cisco IOS 12.2B
Cisco IOS 12.1YD
Cisco IOS 12.1XU
 
不受影响系统
Cisco IOS XE 2.5.1
Cisco IOS 15.0(1)M1
Cisco IOS 12.4XN
Cisco IOS 12.4(25c)
Cisco IOS 12.4(24)T3
Cisco IOS 12.4(22)YB5
Cisco IOS 12.4(22)T4
Cisco IOS 12.4(15)XM3
Cisco IOS 12.4(15)XM
Cisco IOS 12.4(15)T12
Cisco IOS 12.3(8)JK1
Cisco IOS 12.3(7)XI11
Cisco IOS 12.3(4)TPC11a
Cisco IOS 12.3(2)XA7
Cisco IOS 12.3(2)JK3
Cisco IOS 12.3(11)YK3
Cisco IOS 12.2SB
Cisco IOS 12.2S
Cisco IOS 12.2(8)ZB
Cisco IOS 12.2(33)XNE1
Cisco IOS 12.2(15)MC2b
Cisco IOS 12.2(15)MC1
Cisco IOS 12.2(11)YV1
Cisco IOS 12.2
 
危害
远程攻击者可以利用漏洞使设备重载。
 
攻击所需条件
攻击者必须访问H.323的Cisco IOS。
 
漏洞信息
Cisco IOS是一款流行的Internet操作系统。
Cisco IOS软件的H.323实现包含两个安全漏洞，攻击者可发送特殊构建的h.323报文给运行了Cisco IOS软件的受影响设备来触发漏洞，需要完整的TCP三次握手。
成功利用漏洞时，第一个漏洞可导致接口队列堵塞。第二个漏洞允许触发内存泄漏，使设备重载。
接口队列堵塞是一种典型的漏洞，当部分报文接收到并由Cisco IOS路由器或交换排列后，由于处理错误，导致某些队列不会再被删除。
接口输入队列服务会对接收到的报文计数，但数值一般受到限制或相对较小。如对数平台上的多数接口类型默认接口输入队列为75报文，这个值可在接口配置命令中通过保持队列值来修改。
当输入队列大小等于或者大于输入队列最大值时，可通过如下命令查看，如下当前输入队列的大小为75，等于输入队列的"max"大小：
Router#show interface Ethernet 0/0
Ethernet0/0 is up, line protocol is up
  Hardware is AmdP2, address is 0001.0001.0001
  Internet address is 10.1.1.100/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:20, output 00:00:05, output hang never
  Last clearing of "show interface" counters never
  Input queue: 75/75/44/0 (size/max/drops/flushes);
 Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 4000 bits/sec, 9 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     2937 packets input, 182298 bytes, 0 no buffer
     Received 7 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     58 packets output, 6540 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out
    
要显示检测到的内存泄漏，在特权EXEC模式下使用如下命令：
Router#show memory debug leaks
Adding blocks for GD…
                 I/O memory
Address    Size   Alloc_pc  PID  Alloc-Proc       Name
                 Processor memory
Address    Size   Alloc_pc  PID  Alloc-Proc       Name
640854D4     1940 622265A4  196  CCH323_CT       CCH323_CT
640EA5E8     1940 622265A4  196  CCH323_CT       CCH323_CT
65961B38     1940 622265A4  196  CCH323_CT       CCH323_CT
 
测试方法
临时解决方案
如果设备不需要启用H.323呼叫处理，可通过提交如下命令禁用：
voice service voip
 h323
  call service stop forced
 
厂商解决方案
用户可参考如下供应商提供的安全公告获得补丁信息：
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b20ee4.shtml
 
漏洞提供者
Cisco