topic Re: Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability CSCvg35618 in Network Security

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability CSCvg35618

msanclimenti — Mon, 12 Feb 2018 13:16:06 GMT

All

Over the weekend I upgraded a couple of ASA5545X firewalls to v9.6.4-3 that are in a HA pair. This upgrade fix the vulnerability CSC35618. A few hours later I received calls that no one could connect to the VPN using AnyConnect. The users were trying to access the VPN using their Windows 10 laptops. I was able to verify this. The error was "The AnyConnect package on the secure gateway could not be located. You may
be experiencing network connectivity issues. Please try connecting again." I verified this error with my Windows 10 laptop. I was able to access the firewalls using my iPad with the AnyConnect client. Looking over the ASA configuration the AnyConnect image pointers under the webvpn section of the configuration was removed. I had to reenter the pointers and the VPN was operational.

The original ASA code was v 9.6.3(1) and VPN was working before the upgrade. If you need to do this upgrade and you are using AnyConnect, please verify the AnyConnect pointers are still present after the upgrade is completed.

webvpn

enable outside-internet

anyconnect image disk0:/anyconnect-win-4.5.01044-webdeploy-k9.pkg 1 (missing after the upgrade)

anyconnect image disk0:/anyconnect-macos-4.5.01044-webdeploy-k9.pkg 2 (missing after the upgrade)

anyconnect image disk0:/anyconnect-linux64-4.5.01044-webdeploy-k9.pkg 3 (missing after the upgrade)

anyconnect enable

tunnel-group-list enable

Re: Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability CSCvg35618

ddefoort — Mon, 12 Feb 2018 13:28:00 GMT

This will happen during the upgrade process you failover from the active to

the standby unit if the standby unit does not have the Anyconnect image on

it you will lose the pointer.

On Mon, Feb 12, 2018 at 9:46 AM, Michael Sanclimenti <community@cisco.com>

Re: Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability CSCvg35618

msanclimenti — Mon, 12 Feb 2018 13:36:25 GMT

Dennis

Both firewalls have the AnyConnect software in their directory and both firewalls have the AnyConnect pointers in the configuration before the upgrade. I have done upgrades in the past to address Cisco vulnerabilities on these firewalls with no AnyConnect issues. Also, I use the same procedure by upgrading the standby first, switching the firewall roles, upgrading the active, and then switching back the firewall roles. No downtime since there are IPSec connections in use. I cannot see any reason why an upgrade would remove configuration statements. I reviewed the notes for this vulnerability and there is no mention of reentering the AnyConnect pointers.