Customers can disable the use of the IOS FTP Server feature by executing the following command in configuration mode:
no ftp-server enable
Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
Alternative File Transfer Mechanisms
Cisco IOS supports multiple methods for transferring files to and from the device. One such method is Secure Copy (SCP). SCP is supported on Cisco IOS images that support strong cryptography. More information on the SCP feature can be found at the following url:
Another alternative is using the Trivial File Transfer Protocol (TFTP) server in IOS. Information on configuring the TFTP server can be found here:
If disabling the IOS FTP Server is not feasible, customers can limit FTP access to the device via one of the following mechanisms:
Infrastructure ACLs (iACL)
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic which should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access-list which will protect all devices with IP addresses in the infrastructure IP address range.
A sample access list for devices running Cisco IOS is below:
!--- Permit FTP services from trusted hosts destined !--- to infrastructure addresses.
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 21
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 20
!--- Deny FTP packets from all other sources destined to infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 21
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 20
!--- Permit all other traffic to transit the device.
access-list 150 permit IP any any
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml.
Receive ACLs (rACL)
For distributed platforms, Receive ACLs may be an option starting in Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the 7500, and 12.0(31)S for the 10720. The Receive ACL protects the device from harmful traffic before the traffic can impact the route processor. Receive ACLs are designed to only protect the device on which it is configured. On the 12000, 7500, and 10720, transit traffic is never affected by a receive ACL. Because of this, the destination IP address "any" used in the example ACL entries below only refer to the router's own physical or virtual IP addresses. Receive ACLs are considered a network security best practice, and should be considered as a long-term addition to good network security, as well as a workaround for this specific vulnerability. The white paper entitled "GSR: Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny all unwanted packets: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml.
The following is the receive path ACL written to permit this type of traffic from trusted hosts:
!--- Permit FTP from trusted hosts allowed to the RP.
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 151 permit tcp TRUSTED_ADDRESSES MASK any eq 20
!--- Deny FTP from all other sources to the RP.
access-list 151 deny tcp any any eq 21
access-list 151 deny tcp any any eq 20
!--- Permit all other traffic to the RP. !--- according to security policy and configurations.
access-list 151 permit ip any any
!--- Apply this access list to the 'receive' path.
ip receive access-list 151
Control Plane Policing (CoPP)
The Control Plane Policing (CoPP) feature may be used to mitigate these vulnerabilities. In the following example, only FTP traffic from trusted hosts and with 'receive' destination IP addresses is permitted to reach the route processor (RP).
It should be noted that dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically assigned IP addresses from connecting to the Cisco IOS device.
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 21
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 20
access-list 152 permit tcp any any eq 20
access-list 152 permit tcp any any eq 21
access-list 152 deny ip any any
class-map match-all COPP-KNOWN-UNDESIRABLE
match access-group 152
service-policy input COPP-INPUT-POLICY
In the above CoPP example, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action are not affected by the policy-map drop function.
CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
Additional information on the configuration and use of the CoPP feature can be found at the following URL: