cisco crypt lib vulnerability

Published: 2007-05-23
Last Updated: 2007-05-24 14:46:45 UTC
by donald smith (Version: 1)
0 comment(s)
What appears to be a fairly far reaching ANS.1 DOS vulnerability in Cisco products was recently announced.
It is in a 3rd party crypto library that appears to have been used in lots of different Cisco products.
This affects SSH, SSL, EAP-TLS, SIP-TLS, TIDP, IPSEC, CAPF and TAPI on several different platforms depending on usage and OS.
It appears the vulnerable services/protocols may be enabled by default in some instances.
After a discussion with an informed source cisco IOS less then 12.3(2)T is not vulnerable unless a crypto map has been applied to the interface.

All the text in italics is quoted from the cisco advisory available here:

Affected Products
Cisco IOS
Cisco IOS XR
Cisco PIX and ASA Security Appliances (only 7.x releases are affected)
Cisco Firewall Service Module (FWSM), all releases prior 2.3(5) and 3.1(6) are affected
Cisco Unified CallManager

Affected protocols in Cisco IOS
In Cisco IOS two features rely on ISAKMP - IPSec and Group Domain of Interpretation (GDOI).

Prior to IOS version 12.3(2)T, IKE was enabled by default, with no crypto configuration needed for the IOS device to process IKE messages.

12.2SXD versions of Cisco IOS have IKE enabled by default. To ensure that IKE processing is disabled, enter the global configuration command no crypto isakmp enable.

As of IOS version 12.3(2)T (which includes all 12.4-based versions), crypto configuration is required to enable IKE message processing.
In order for an IOS device to be vulnerable crypto map must be explicitly configured and applied to an interface

Affected protocols in Cisco IOS XR

Internet Security Association and Key Management Protocol (ISAKMP)
In some IOS XR releases the Secure Socket Layer (SSL) may also be affected
Secure Shell (SSH)

Affected protocols in Cisco Firewall Service Module (FWSM)

Internet Security Association and Key Management Protocol (ISAKMP)

Affected protocols in Cisco Unified CallManager
Certificate Authority Proxy Function (CAPF)
Cisco TAPI Service Provider (Cisco Unified CallManager TSP)

See the advisory for mitigations, fixed software and a complete list of which products are vulnerable.
0 comment(s)


Diary Archives