漏洞信息详情
Cisco IOS FTP Server非授权访问及拒绝服务漏洞
- CNNVD编号:CNNVD-200705-158
- 危害等级: 中危
![图片[1]-Cisco IOS FTP Server非授权访问及拒绝服务漏洞-一一网](https://www.proyy.com/skycj/data/images/2021-07-05/30f462579bec41fc25e0b1d57503e6d6.png)
- CVE编号:
CVE-2007-2587
- 漏洞类型:
资料不足
- 发布时间:
2007-05-09
- 威胁类型:
远程
- 更新时间:
2009-03-04
- 厂 商:
cisco - 漏洞来源:
Cisco安全公告 -
漏洞简介
Cisco IOS是Cisco网络设备所使用的操作系统。
Cisco IOS所带的FTP Server处理访问请求时存在漏洞,远程攻击者可能利用此漏洞非授权访问系统文件或导致拒绝服务。
启用了IOS FTP Server功能的Cisco IOS没有正确检查用户授权,可能允许攻击者非授权读写设备文件系统中的任意文件,包括设备保存的配置,其中可能有口令或其他敏感信息;此外这种配置的Cisco IOS还可能导致在通过FTP传输文件时IOS重载。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
临时解决方法:
* 通过向设备配置中添加以下命令禁用IOS FTP Server功能:
no ftp-server enable
* 选用其他文件传输方式,如安全拷贝(SCP)或使用简单文件传输协议(TFTP)服务器。
* 如下配置基础架构ACL(iACL):
!— Permit FTP services from trusted hosts destined
!— to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 21
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 20
!— Deny FTP packets from all other sources destined to infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 21
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 20
!— Permit all other traffic to transit the device.
access-list 150 permit IP any any
interface serial 2/0
ip access-group 150 in
* 如下配置接收ACL(rACL):
!— Permit FTP from trusted hosts allowed to the RP.
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 20
!— Deny FTP from all other sources to the RP.
access-list 151 deny tcp any any eq 21
access-list 151 deny tcp any any eq 20
!— Permit all other traffic to the RP.
!— according to security policy and configurations.
access-list 151 permit ip any any
!— Apply this access list to the ‘receive’ path.
ip receive access-list 151
* 如下配置控制面板:
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 20
access-list 152 permit tcp any any eq 20
access-list 152 permit tcp any any eq 21
access-list 152 deny ip any any
!
class-map match-all COPP-KNOWN-UNDESIRABLE
match access-group 152
!
!
policy-map COPP-INPUT-POLICY
class COPP-KNOWN-UNDESIRABLE
drop
!
control-plane
service-policy input COPP-INPUT-POLICY
厂商补丁:
Cisco
—–
Cisco已经为此发布了一个安全公告(cisco-sa-20070509-iosftp)以及相应补丁:
cisco-sa-20070509-iosftp:Multiple Vulnerabilities in the IOS FTP Server
链接:
参考网址
来源: CISCO
名称: 20070509 Multiple Vulnerabilities in the IOS FTP Server
链接:http://www.cisco.com/en/US/products/products_security_advisory09186a00808399d0.shtml
来源: XF
名称: cisco-ios-ftpserver-dos(34196)
链接:http://xforce.iss.net/xforce/xfdb/34196
来源: SECTRACK
名称: 1018030
链接:http://www.securitytracker.com/id?1018030
来源: BID
名称: 23885
链接:http://www.securityfocus.com/bid/23885
来源: OSVDB
名称: 35335
来源: VUPEN
名称: ADV-2007-1749
链接:http://www.frsirt.com/english/advisories/2007/1749
来源: SECUNIA
名称: 25199
链接:http://secunia.com/advisories/25199
来源: OVAL
名称: oval:org.mitre.oval:def:5444
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:5444
![[桜井宁宁]COS和泉纱雾超可爱写真福利集-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/4d3cf227a85d7e79f5d6b4efb6bde3e8.jpg)
![[桜井宁宁] 爆乳奶牛少女cos写真-一一网](https://www.proyy.com/skycj/data/images/2020-12-13/d40483e126fcf567894e89c65eaca655.jpg)
