CVE-2006-3894

Name of the Vulnerable Software and Affected Versions: RSA Crypto-C versions prior to 6.3.1 Cert-C versions prior to 2.8 Cisco IOS (affected versions not specified) Cisco IOS XR (affected versions not specified) Cisco PIX and ASA Security Appliances (affected versions not specified) Cisco Firewall Service Module (FWSM) (affected versions not specified) Cisco Unified CallManager (affected versions not specified)

Description: A vulnerability has been discovered in a third-party cryptographic library used by multiple Cisco products. This issue may be triggered when a malformed Abstract Syntax Notation One (ASN.1) object is parsed, potentially allowing remote attackers to cause a denial of service. In some cases, it may be possible to trigger this vulnerability without valid credentials, such as a username or password. Successful repeated exploitation may lead to a sustained Denial-of-Service (DoS), but it is not believed to compromise the confidentiality or integrity of the data or device.

Recommendations: For RSA Crypto-C versions prior to 6.3.1, update to version 6.3.1 or later. For Cert-C versions prior to 2.8, update to version 2.8 or later. For Cisco IOS, Cisco IOS XR, Cisco PIX and ASA Security Appliances, Cisco Firewall Service Module (FWSM), and Cisco Unified CallManager, apply the free software made available by Cisco to address this vulnerability. As a temporary workaround, consider restricting access to the vulnerable cryptographic library until a patch is available. Avoid using the vulnerable library to parse ASN.1 objects from untrusted sources until the issue is resolved.