https://community.cisco.com/t5/network-access-control/doubt-about-quot-cisco-adaptive-security-appliance-remote-code/m-p/3335289#M550093 <P>Hello,</P> <P>Could someone clarify the following question, please?</P> <P>Due to this Advisory ID cisco-sa-20180129-asa1, I upgraded from version 9.6(3)20 to version 9.6.4(3) as indicated.</P> <P><A href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1</A></P> <P>According to the information, the upgrade would fix the vulnerability.&nbsp;So we could continue to use the Features without problems, right?</P> <P>In this case, I use AnyConnect IKEv2 Remote Access (with client services) and I need to continue using it.</P> <P>If I continue to use this feature, will I still be at risk?</P> <P>Are the SSL and DTLS listen sockets output above normal or should they be different after the upgrade?</P> <P>&nbsp;</P> <P>--------------------------------------------<BR />::: ASA device with SSL and DTLS listen sockets:</P> <P>asa# show asp table socket | include SSL|DTLS<BR />SSL 00013b78 LISTEN 123.123.123.123:443 0.0.0.0:* <BR />DTLS 000143e8 LISTEN <SPAN>123</SPAN><SPAN>.</SPAN><SPAN>123</SPAN><SPAN>.</SPAN><SPAN>123</SPAN><SPAN>.</SPAN><SPAN>123</SPAN>:443 0.0.0.0:*<BR />--------------------------------------------</P> <P>::: Feature:</P> <P>AnyConnect IKEv2 Remote Access (with client services)<BR />--------------------------------------------</P> <P>::: Configuration:</P> <P>asa# show running-config crypto ikev2 | include enable<BR />crypto ikev2 enable outside client-services port 443<BR />--------------------------------------------</P> <P>::: SSL system statistics</P> <P>asa# show asp table socket stats protocol ssl<BR /> <BR />NP SSL System Stats:<BR /> Handshake Started: 1012<BR /> Handshake Complete: 890<BR /> SSL Open: 11<BR /> SSL Close: 1703<BR /> SSL Server: 1066<BR /> SSL Server Verify: 0<BR /> SSL Client: 0<BR />--------------------------------------------</P> <P>&nbsp;</P> <P>Thanks!</P> <P>Att,&nbsp;</P> <P>Flavio</P> <P>&nbsp;</P> Fri, 21 Feb 2020 18:46:19 GMT flleandro 2020-02-21T18:46:19Z https://community.cisco.com/t5/network-access-control/doubt-about-quot-cisco-adaptive-security-appliance-remote-code/m-p/3335289#M550093 <P>Hello,</P> <P>Could someone clarify the following question, please?</P> <P>Due to this Advisory ID cisco-sa-20180129-asa1, I upgraded from version 9.6(3)20 to version 9.6.4(3) as indicated.</P> <P><A href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1</A></P> <P>According to the information, the upgrade would fix the vulnerability.&nbsp;So we could continue to use the Features without problems, right?</P> <P>In this case, I use AnyConnect IKEv2 Remote Access (with client services) and I need to continue using it.</P> <P>If I continue to use this feature, will I still be at risk?</P> <P>Are the SSL and DTLS listen sockets output above normal or should they be different after the upgrade?</P> <P>&nbsp;</P> <P>--------------------------------------------<BR />::: ASA device with SSL and DTLS listen sockets:</P> <P>asa# show asp table socket | include SSL|DTLS<BR />SSL 00013b78 LISTEN 123.123.123.123:443 0.0.0.0:* <BR />DTLS 000143e8 LISTEN <SPAN>123</SPAN><SPAN>.</SPAN><SPAN>123</SPAN><SPAN>.</SPAN><SPAN>123</SPAN><SPAN>.</SPAN><SPAN>123</SPAN>:443 0.0.0.0:*<BR />--------------------------------------------</P> <P>::: Feature:</P> <P>AnyConnect IKEv2 Remote Access (with client services)<BR />--------------------------------------------</P> <P>::: Configuration:</P> <P>asa# show running-config crypto ikev2 | include enable<BR />crypto ikev2 enable outside client-services port 443<BR />--------------------------------------------</P> <P>::: SSL system statistics</P> <P>asa# show asp table socket stats protocol ssl<BR /> <BR />NP SSL System Stats:<BR /> Handshake Started: 1012<BR /> Handshake Complete: 890<BR /> SSL Open: 11<BR /> SSL Close: 1703<BR /> SSL Server: 1066<BR /> SSL Server Verify: 0<BR /> SSL Client: 0<BR />--------------------------------------------</P> <P>&nbsp;</P> <P>Thanks!</P> <P>Att,&nbsp;</P> <P>Flavio</P> <P>&nbsp;</P> Fri, 21 Feb 2020 18:46:19 GMT https://community.cisco.com/t5/network-access-control/doubt-about-quot-cisco-adaptive-security-appliance-remote-code/m-p/3335289#M550093 flleandro 2020-02-21T18:46:19Z https://community.cisco.com/t5/network-access-control/doubt-about-quot-cisco-adaptive-security-appliance-remote-code/m-p/3335295#M550096 <P>You are correct, if you are using the updated code from Cisco the vulnerability has been patched and you can continue on using the VPN features of the firewall.</P> <P>&nbsp;</P> <P>I noticed the SSL/DTLS commands outputs didn't change any after the update which they shouldn't. The new code wouldn't have modified your config it would have just patched the security hole that existed&nbsp;for those processes.</P> Wed, 21 Feb 2018 17:17:31 GMT https://community.cisco.com/t5/network-access-control/doubt-about-quot-cisco-adaptive-security-appliance-remote-code/m-p/3335295#M550096 Ben Walters 2018-02-21T17:17:31Z