topic Re: ASA 5525 - running 9.16(4) CVE-2024-20353 and CVE-2024-20359 in Network Security

ASA 5525 - running 9.16(4) CVE-2024-20353 and CVE-2024-20359

IanP — Tue, 07 May 2024 16:22:40 GMT

Hi,

I've inherited an issue that i'm a bit confused with networking isn't really my wheelhouse I've recently been trying to patch our Cisco ASA 5525 which is running ASA Version 9.16(4) which looking at the documentation it appears that it isn't supported (not sure how\why it was installed).

I've been looking into CVE-2024-20353 and CVE-2024-20359 and realize that it needs to be updated but have no idea what to upgrade it to as the software checker suggests 9.16.4.57 but according to the software matrix 9.16 shouldn't even be on there so would the sensible thing be to downgrade to 9.14(4)24?

Re: ASA 5525 - running 9.16(4) CVE-2024-20353 and CVE-2024-20359

Rob Ingram — Tue, 07 May 2024 16:29:33 GMT

@IanP yes you are correct, 9.14 is the last supported version for the ASA 5525-X.

No support in ASA 9.15(1) and later for the ASA 5525-X, ASA 5545-X, and ASA 5555-X—ASA 9.14(x) is the last supported version.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html

You should downgrade to 9.14(4)24 to resolve the latest vulnerabilities.

https://software.cisco.com/download/home/284143129/type/280775065/release/9.14.4%20Interim

HTH

Re: ASA 5525 - running 9.16(4) CVE-2024-20353 and CVE-2024-20359

IanP — Tue, 07 May 2024 16:36:39 GMT

@Rob Ingram Thanks for the quick reply. Is there a special way to downgrade unsupported version? Just want to make sure its done correctly as its remote.

Re: ASA 5525 - running 9.16(4) CVE-2024-20353 and CVE-2024-20359

Rob Ingram — Tue, 07 May 2024 16:41:30 GMT

@IanP here is the downgrade guide, no mention of anything specific in regard to downgrading from an unsupported version.

I would suggest taking a backup beforehand and if you are concerned, perhaps place a TAC call.