Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: cisco crypt lib vulnerability SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
cisco crypt lib vulnerability
What appears to be a fairly far reaching ANS.1 DOS vulnerability in Cisco products was recently announced.
It is in a 3rd party crypto library that appears to have been used in lots of different Cisco products.
This affects SSH, SSL, EAP-TLS, SIP-TLS, TIDP, IPSEC, CAPF and TAPI on several different platforms depending on usage and OS.
It appears the vulnerable services/protocols may be enabled by default in some instances.
After a discussion with an informed source cisco IOS less then 12.3(2)T is not vulnerable unless a crypto map has been applied to the interface.

All the text in italics is quoted from the cisco advisory available here:

Affected Products
Cisco IOS
Cisco IOS XR
Cisco PIX and ASA Security Appliances (only 7.x releases are affected)
Cisco Firewall Service Module (FWSM), all releases prior 2.3(5) and 3.1(6) are affected
Cisco Unified CallManager

Affected protocols in Cisco IOS
In Cisco IOS two features rely on ISAKMP - IPSec and Group Domain of Interpretation (GDOI).

Prior to IOS version 12.3(2)T, IKE was enabled by default, with no crypto configuration needed for the IOS device to process IKE messages.

12.2SXD versions of Cisco IOS have IKE enabled by default. To ensure that IKE processing is disabled, enter the global configuration command no crypto isakmp enable.

As of IOS version 12.3(2)T (which includes all 12.4-based versions), crypto configuration is required to enable IKE message processing.
In order for an IOS device to be vulnerable crypto map must be explicitly configured and applied to an interface

Affected protocols in Cisco IOS XR

Internet Security Association and Key Management Protocol (ISAKMP)
In some IOS XR releases the Secure Socket Layer (SSL) may also be affected
Secure Shell (SSH)

Affected protocols in Cisco Firewall Service Module (FWSM)

Internet Security Association and Key Management Protocol (ISAKMP)

Affected protocols in Cisco Unified CallManager
Certificate Authority Proxy Function (CAPF)
Cisco TAPI Service Provider (Cisco Unified CallManager TSP)

See the advisory for mitigations, fixed software and a complete list of which products are vulnerable.

206 Posts
May 24th 2007

Sign Up for Free or Log In to start participating in the conversation!