Cisco vulnerabilities by product, model, software, and advisory.
Vulnerability In Crypto Library
cisco-sa-20070522-crypto · High · Published · Updated
A vulnerability has been discovered in a third party cryptographic library which is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password). Successful repeated exploitation of any of these vulnerabilities may lead to a sustained Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information. The vulnerable cryptographic library is used in the following Cisco products: Cisco IOS Cisco IOS XR Cisco PIX and ASA Security Appliances Cisco Firewall Service Module (FWSM) Cisco Unified CallManager This vulnerability is assigned CVE ID CVE-2006-3894. It is externally coordinated and is tracked by the following external coordinators: JPCERT/CC - tracked as JVNVU#754281 CPNI - tracked as NISCC-362917 CERT/CC - tracked as VU#754281 Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability. This advisory is posted at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-crypto. Note: Another related advisory is posted together with this Advisory. It also describes vulnerabilities related to cryptography that affect Cisco IOS. The related advisory is published at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20070522-SSL