https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012073#M145541 <P></P> <P>after scan finished for Vulnerability Management Report , i found those notes :</P> <P></P> <P></P> <TABLE style="width: 990.9pt; margin-left: -.75pt; border-collapse: collapse;" width="1321"> <TBODY> <TR style="height: 12.75pt;"> <TD style="width: 74.9pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="100"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Cisco Catalyst / Cisco PIX 7.x / Cisco ASA Firewall / Juniper Networks Application Acceleration Platform DX</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">38498</SPAN></P> </TD> <TD style="width: 326.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="435"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">2</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">500</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">udp</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">CVE-2002-1623</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">4.3</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">yes</SPAN></P> </TD> </TR> <TR style="height: 12.75pt;"> <TD style="width: 74.9pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="100"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Cisco IOS 11-15</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">42395</SPAN></P> </TD> <TD style="width: 326.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="435"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Encrypted Management Interfaces Accessible On Cisco Device</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">2</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">5.2</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">yes</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P></P> <P></P> <P>to be honest am not that good with Cisco , can you help me with this&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ?</P> Tue, 12 Mar 2019 09:06:38 GMT oosama123 2019-03-12T09:06:38Z https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012073#M145541 <P></P> <P>after scan finished for Vulnerability Management Report , i found those notes :</P> <P></P> <P></P> <TABLE style="width: 990.9pt; margin-left: -.75pt; border-collapse: collapse;" width="1321"> <TBODY> <TR style="height: 12.75pt;"> <TD style="width: 74.9pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="100"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Cisco Catalyst / Cisco PIX 7.x / Cisco ASA Firewall / Juniper Networks Application Acceleration Platform DX</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">38498</SPAN></P> </TD> <TD style="width: 326.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="435"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">2</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">500</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">udp</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">CVE-2002-1623</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">4.3</SPAN></P> </TD> <TD style="width: 48.0pt; border: solid windowtext 1.0pt; border-left: none; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">yes</SPAN></P> </TD> </TR> <TR style="height: 12.75pt;"> <TD style="width: 74.9pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="100"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Cisco IOS 11-15</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">42395</SPAN></P> </TD> <TD style="width: 326.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="435"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Encrypted Management Interfaces Accessible On Cisco Device</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P style="text-align: right;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">2</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"></TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">5.2</SPAN></P> </TD> <TD style="width: 48.0pt; border-top: none; border-left: none; border-bottom: solid windowtext 1.0pt; border-right: solid windowtext 1.0pt; padding: 0in 5.4pt 0in 5.4pt; height: 12.75pt;" width="64"> <P><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">yes</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P></P> <P></P> <P>to be honest am not that good with Cisco , can you help me with this&nbsp; <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ?</P> Tue, 12 Mar 2019 09:06:38 GMT https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012073#M145541 oosama123 2019-03-12T09:06:38Z https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012074#M145543 <P>The vulnerability listing sounds like you are using an old EZVPN setup on your ASA. That's very old technology and as long as you keep using that you will have that vulnerability.</P> <P>You should migrate to the current SSL VPN (AnyConnect type) to mitigate those vulnerabilities.</P> <P>If you aren't using EZVPN, it could be a false positive as most site-site VPNs use Main Mode vs. Aggressive Mode. An external scan is not able to tell which is in use, only that the ASA is listening to certain ucp ports (udp/500 in this case) and they infer that you are potentially vulnerable as a result.</P> <P></P> <P></P> Thu, 23 Mar 2017 07:35:54 GMT https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012074#M145543 Marvin Rhoads 2017-03-23T07:35:54Z https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012075#M145545 <P>thank you for this perfect answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ,, in fact am using ASA 5100 it's an old one</P> <P>and allow me this silly question : how i check if VPN is EZVPN&nbsp; ?? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P></P> <P>and one more thing : what about second point : <SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Encrypted Management Interfaces Accessible On Cisco Device</SPAN>?</P> <P></P> <P>really , really thank you</P> Thu, 23 Mar 2017 08:46:50 GMT https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012075#M145545 oosama123 2017-03-23T08:46:50Z https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012076#M145547 <P>EZ VPN configuration will have a line like "nem enable" under the group-policy ("show run group-policy") if the ASA is a server. If it acts as a client, it will have a configuration lines with "vpnclient" (show run vpnclient). In either of those cases, you have to use Aggresive Mode which is considered vulnerable.&nbsp;</P> <P>If it has neither then it's just a normal IPsec headend and you can disable Aggresive Mode or AM (though it may still show as a false positive since the scan is only probing for ports and not actually negotiating a VPN and seeing that AM is disabled).</P> <P>the scond vulenrability is usually related to the first. However since they did not give you a specific CVSS to confirm it's a bit ambiguous.</P> Thu, 23 Mar 2017 09:49:39 GMT https://community.cisco.com/t5/network-security/vulnerability-management-report/m-p/3012076#M145547 Marvin Rhoads 2017-03-23T09:49:39Z