|RSA BSAFE库远程ASN.1解析拒绝服务漏洞 - VULHUB开源网络安全威胁库

RSA BSAFE库远程ASN.1解析拒绝服务漏洞

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

RSA BSAFE产品可为开发人员提供软件函数库，用于在各种嵌入的Internet应用中实现加密。 RSA BSAFE所提供的Crypto-C和Cert-C库的实现上存在漏洞，远程攻击者可能利用此漏洞导致设备拒绝服务。如果用户通过任何使用了上述库的应用程序解析了畸形的ASN.1对象的话，就会触发这个漏洞，导致受影响的应用或设备崩溃。 Cisco IOS XR 3.4.X Cisco IOS XR 3.3.X Cisco IOS XR 3.2.X Cisco IOS 12.4 Cisco IOS 12.3 Cisco IOS 12.2 Cisco Firewall Services Module < 2.3(5) Cisco Firewall Services Module 3.1(6) Cisco PIX/ASA 7.x Cisco Unified CallManager RSA Security BSAFE Crypto-C RSA Security BSAFE Cert-C 临时解决方法： * 对于运行Cisco IOS的网络设备，应用以下控制面整型（CoPP）： !-- Include deny statements up front for any protocols/ports/IP addresses that !-- should not be impacted by CoPP !-- Include permit statements for the protocols/ports that will be governed by CoPP !-- port 443 - HTTPS access-list 100 permit tcp any any eq 443 !-- port 500 - IKE access-list 100 permit udp any any eq 500 !-- port 848 - GDOI access-list 100 permit tcp any any eq 848 !-- port 5060 - SIP-TLS access-list 100 permit tcp any any eq 5060 !-- port 5354 - TIDP access-list 100 permit tcp any any eq 5354 !-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4 !-- traffic in accordance with existing security policies and !-- configurations for traffic that is authorized to be sent !-- to infrastructure devices. ! !-- Create a Class-Map for traffic to be policed by !-- the CoPP feature. ! class-map match-all Drop-Known-Undesirable match access-group 100 ! !-- Create a Policy-Map that will be applied to the !-- Control-Plane of the device. ! policy-map CoPP-Input-Policy class Drop-Known-Undesirable drop !-- Apply the Policy-Map to the Control-Plane of the !-- device. ! control-plane service-policy input CoPP-Input-Policy 请注意在12.0S、12.2S和12.2SX Cisco IOS系列中，policy-map句法有所不同，如下所示： policy-map CoPP-Input-Policy class Drop-Known-Undesirable police 32000 1500 1500 conform-action drop exceed-action drop 或应用以下ACL： access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 443 access-list 101 permit udp host <legitimate_host_IP_address> host <router_IP_address> eq 500 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 506 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 4848 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 5060 access-list 101 permit tcp host <legitimate_host_IP_address> host <router_IP_address> eq 5354 access-list 101 deny tcp any any eq 443 access-list 101 deny udp any any eq 500 access-list 101 deny tcp any any eq 506 access-list 101 deny udp any any eq 4848 access-list 101 deny tcp any any eq 5060 access-list 101 deny tcp any any eq 5354 厂商补丁： Cisco ----- Cisco已经为此发布了一个安全公告（cisco-sa-20070522-crypto）以及相应补丁: cisco-sa-20070522-crypto：Vulnerability In Crypto Library 链接：<a href="http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml" target="_blank">http://www.cisco.com/warp/public/707/cisco-sa-20070522-crypto.shtml</a> RSA Security ------------ 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： <a href="http://www.rsasecurity.com" target="_blank">http://www.rsasecurity.com</a>

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™