https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400760#M1080669 <P>If the certificate in question is the identity certificate used by SSL VPN clients, then replace it with a proper certificate issued by a public CA.</P> Tue, 11 May 2021 04:12:20 GMT Marvin Rhoads 2021-05-11T04:12:20Z https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400676#M1080667 <P>Hello,</P><P>&nbsp;</P><P>Can anyone please tell me the solution for mitigating the cisco ASA 5525 vulnerabilities?</P><TABLE><TBODY><TR><TD>FACTOR NAME</TD><TD>ISSUE TYPE TITLE</TD><TD>ISSUE TYPE CODE</TD></TR></TBODY></TABLE><TABLE><TBODY><TR><TD>Network Security</TD><TD>Certificate Without Revocation Control</TD><TD>tlscert_no_revocation</TD></TR><TR><TD>Network Security</TD><TD>Certificate Without Revocation Control</TD><TD>tlscert_no_revocation</TD></TR><TR><TD>Network Security</TD><TD>Certificate Lifetime Is Longer Than Best Practices</TD><TD>tlscert_excessive_expiration</TD></TR><TR><TD>Network Security</TD><TD>Certificate Lifetime Is Longer Than Best Practices</TD><TD>tlscert_excessive_expiration</TD></TR><TR><TD>Network Security</TD><TD>Certificate Signed With Weak Algorithm</TD><TD>tlscert_weak_signature</TD></TR><TR><TD>Network Security</TD><TD>Certificate Signed With Weak Algorithm</TD><TD>tlscert_weak_signature</TD></TR></TBODY></TABLE><P>&nbsp;</P> Tue, 11 May 2021 03:04:08 GMT https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400676#M1080667 Poo17 2021-05-11T03:04:08Z https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400760#M1080669 <P>If the certificate in question is the identity certificate used by SSL VPN clients, then replace it with a proper certificate issued by a public CA.</P> Tue, 11 May 2021 04:12:20 GMT https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400760#M1080669 Marvin Rhoads 2021-05-11T04:12:20Z https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400769#M1080670 <P>Hi Marvin,</P><P>&nbsp;</P><P>Thank you for your reply. I am trying to decommission the SSL VPN because that service is not in use anymore. How can I do that?</P><P>&nbsp;</P><P>Thank you!</P> Tue, 11 May 2021 04:22:30 GMT https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400769#M1080670 Poo17 2021-05-11T04:22:30Z https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400900#M1080675 <P>If you want to shut it down, you can just remove the service from the outside interface:</P> <PRE>conf t webvpn disable outside &lt;assuming that's your public interface name&gt; end wr mem</PRE> <P>There is more involved to thoroughly clean up the configuration but the first step will remove the certificate from being exposed to the vulnerability scanning.</P> Tue, 11 May 2021 08:36:54 GMT https://community.cisco.com/t5/network-security/vulnerability-scanning-mitigation-needed/m-p/4400900#M1080675 Marvin Rhoads 2021-05-11T08:36:54Z