To prevent an exploit of a vulnerable device, SSL-based services need
to be disabled. However, if regular maintenance and operation of the device
relies on this service, there is no workaround.
The following command will disable the vulnerable HTTPS service:
Router(config)#no ip http secure-server
The following command will disable the vulnerable SSL VPN
Router(config)#no webvpn enable
The following command will disable the vulnerable OSP service:
Router(config)#no settlement <n>
Another option is to revert to HTTP protocol instead using HTTPS. The
downside of this workaround is that the settlement information will be sent
over the network unprotected.
It is possible to mitigate this vulnerability by preventing
unauthorized hosts from accessing affected devices.
Control Plane Policing (CoPP)
Cisco IOS software versions that support Control Plane Policing
(CoPP) can be configured to help protect the device from attacks that
target the management and control planes. CoPP is available in Cisco IOS
release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
In the following CoPP example, the ACL entries that match the exploit
packets with the permit action will be discarded by the policy-map
drop function, whereas packets that match a deny
action (not shown) are not affected by the policy-map drop function:
!-- Include deny statements up front for any protocols/ports/IP addresses that
!-- should not be impacted by CoPP
!-- Include permit statements for the protocols/ports that will be
!-- governed by CoPPaccess-list 100 permit tcp any any eq 443
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-SSL-class match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map drop-SSL-policy class drop-SSL-class drop
!-- Apply the Policy-Map to the Control-Plane of the
control-plane service-policy input drop-SSL-policy
Note: In the preceding CoPP example, the ACL entries with the
permit action that match the exploit packets will result in
the discarding of those packets by the policy-map drop
function, whereas packets that match the deny action are not
affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP
feature is available at the following links:
Access Control List (ACL)
An Access Control List (ACL) can be used to help mitigate attacks that
target this vulnerability. ACLs can specify that only packets from legitimate
sources are permitted to reach a device, and all others are to be dropped. The
following example shows how to allow legitimate SSL sessions from trusted
sources and deny all other SSL sessions:
access-list 101 permit tcp host <legitimate_host_IP_address> host
<router_IP_address> eq 443
access-list 101 deny tcp any any eq 443