Vulnerability In Crypto Library - Cisco Systems

Medium Nessus Plugin ID 49004

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

A vulnerability has been discovered in a third-party cryptographic library that is used by a number of Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid username or password). Successful, repeated exploitation of any of these vulnerabilities may lead to a sustained denial of service (DoS);
however, vulnerabilities are not known to compromise either the confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an attacker to decrypt any previously encrypted information. Cisco has made free software available to address this vulnerability for affected customers. There are no workarounds available to mitigate the effects of the vulnerability.

Solution

Apply the relevant patch referenced in Cisco Security Advisory cisco-sa-20070522-crypto.

See Also

http://www.nessus.org/u?aff94393

http://www.nessus.org/u?0072356d

Plugin Details

Severity: Medium

ID: 49004

File Name: cisco-sa-20070522-crypto.nasl

Version: 1.21

Type: local

Family: CISCO

Published: 2010/09/01

Updated: 2018/11/15

Dependencies: 47864

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:cisco:ios

Required KB Items: Host/Cisco/IOS/Version

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2007/05/22

Vulnerability Publication Date: 2007/05/22

Reference Information

CVE: CVE-2006-3894

BID: 24104