发布日期：2007-05-22
更新日期：2007-05-24

受影响系统：

Cisco IOS XR 3.4.X
Cisco IOS XR 3.3.X
Cisco IOS XR 3.2.X
Cisco IOS 12.4
Cisco IOS 12.3
Cisco IOS 12.2
Cisco Firewall Services Module < 2.3(5)
Cisco Firewall Services Module 3.1(6)
Cisco PIX/ASA 7.x
Cisco Unified CallManager
RSA Security BSAFE Crypto-C
RSA Security BSAFE Cert-C

不受影响系统：

RSA Security BSAFE Crypto-C 6.3.1
RSA Security BSAFE Cert-C 2.8

描述：

---

BUGTRAQ  ID: 24104
CVE(CAN) ID: CVE-2006-3894

RSA BSAFE产品可为开发人员提供软件函数库，用于在各种嵌入的Internet应用中实现加密。

RSA BSAFE所提供的Crypto-C和Cert-C库的实现上存在漏洞，远程攻击者可能利用此漏洞导致设备拒绝服务。

如果用户通过任何使用了上述库的应用程序解析了畸形的ASN.1对象的话，就会触发这个漏洞，导致受影响的应用或设备崩溃。

<*来源：Cisco安全公告
  
  链接：http://secunia.com/advisories/25343/
        http://www.kb.cert.org/vuls/id/754281
        http://secunia.com/advisories/25399/
        https://secure-support.novell.com/KanisaPlatform/Publishing/97/3590033_f.SAL_Public.html
        http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml
*>

建议：

---

临时解决方法：

* 对于运行Cisco IOS的网络设备，应用以下控制面整型（CoPP）：

    !-- Include deny statements up front for any protocols/ports/IP addresses that
    !-- should not be impacted by CoPP
    !-- Include permit statements for the protocols/ports that will be governed by CoPP
    !-- port 443 - HTTPS
    access-list 100 permit tcp any any eq 443
    !-- port 500 - IKE
    access-list 100 permit udp any any eq 500
    !-- port 848 - GDOI
    access-list 100 permit tcp any any eq 848
    !-- port 5060 - SIP-TLS
    access-list 100 permit tcp any any eq 5060
    !-- port 5354 - TIDP
    access-list 100 permit tcp any any eq 5354

    !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
    !-- traffic in accordance with existing security policies and
    !-- configurations for traffic that is authorized to be sent
    !-- to infrastructure devices.
    !
    !-- Create a Class-Map for traffic to be policed by
    !-- the CoPP feature.
    !
    class-map match-all Drop-Known-Undesirable
     match access-group 100

    !
    !-- Create a Policy-Map that will be applied to the
    !-- Control-Plane of the device.
    !
    policy-map CoPP-Input-Policy
     class Drop-Known-Undesirable
      drop

    !-- Apply the Policy-Map to the Control-Plane of the
    !-- device.
    !
    control-plane
     service-policy input CoPP-Input-Policy

   请注意在12.0S、12.2S和12.2SX Cisco IOS系列中，policy-map句法有所不同，如
   下所示：

    policy-map CoPP-Input-Policy
     class Drop-Known-Undesirable
     police 32000 1500 1500 conform-action drop exceed-action drop

或应用以下ACL：

    access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 443
    access-list 101 permit udp host <legitimate_host_IP_address> host <router_IP_address> eq 500
    access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 506
    access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 4848
    access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 5060
    access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 5354
    access-list 101 deny tcp any any eq 443
    access-list 101 deny udp any any eq 500
    access-list 101 deny tcp any any eq 506
    access-list 101 deny udp any any eq 4848
    access-list 101 deny tcp any any eq 5060
    access-list 101 deny tcp any any eq 5354

厂商补丁：

Cisco
-----
Cisco已经为此发布了一个安全公告（cisco-sa-20070522-crypto）以及相应补丁:
cisco-sa-20070522-crypto：Vulnerability In Crypto Library
链接：http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml

RSA Security
------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.rsasecurity.com

浏览次数：3779
严重程度：0（网友投票）