topic I can't say for sure as those in Network Security

POODLE vulnerability - Are ASA 5500's and ASA SM unaffected?

Nathan Kim — Tue, 12 Mar 2019 04:57:59 GMT

ASA evaluation of SSLv3 POODLE vulnerability at https://tools.cisco.com/bugsearch/bug/CSCur23709 only mentions ASA 5500-X but not ASA 55xx appliances and ASA SM. Does this mean ASA 55xx appliances and ASA SM are not affected by the vulnerability?

They use the term "Cisco ASA

Marvin Rhoads — Tue, 21 Oct 2014 15:35:29 GMT

They use the term "Cisco ASA 5500-X Series Next-Generation Firewalls" in a generic sense. Given that the known affected versions include ASA 8.2, 8.3 and 8.4 software (which run on the legacy ASA 5500s), then I'd say yes it includes the ASA 5500 (non-X) series.

The actual security vulnerability announcement confirms that the vulnerability applies to the software - not necessarily the hardware platform per se.

Given that the ASA Service Module code base is based on the affected software (even though they are silent re 8.5 which you could be running on the ASA SM) I'd say it would be a good idea to mitigate that platform as well if you have it.

Marvin,Thank you for your

Nathan Kim — Tue, 21 Oct 2014 16:24:59 GMT

Marvin,

Thank you for your quick and insightful response.

I agree with your recommendations.

Nathan

Hello,are these versions

SteveStarnes2014 — Thu, 23 Oct 2014 19:58:17 GMT

Hello,

are these versions affected?

asa                         9.3(1)
asa                         9.1(3)
fwsm                      4.1(15)

I can't say for sure as those

Marvin Rhoads — Thu, 23 Oct 2014 20:04:02 GMT

I can't say for sure as those software versions aren't specifically named in the BugID for this vulnerability.

In any case, the workaround to mitigate it is simple enough so you you can just go ahead and deploy:

ssl client-version tlsv1-only
ssl server-version tlsv1

There's no adverse impact to any other services on the system.

The work around happens to

jnommensen — Thu, 23 Oct 2014 22:16:51 GMT

The work around happens to not be applicable for the version I'm running. The vulnerability could affect an ASA if "A block cipher in CBC mode is one of the transform sets being offered".

How do I know if a block cipher in CBC mode is one of the transform sets I have configured? I cannot find any further details from Cisco regarding this.

Cheers,

Jnomm

jnommensen,What version are

Tim Glen — Wed, 29 Oct 2014 20:00:57 GMT

jnommensen,

What version are you running on your ASA?

ssl client-version and ssl server-version were both introduced in 7.0(1) quite some time ago...

The way I understand it...

If your ASA acts as an https server for downloading AnyConnnect software to VPN Users, or if you use clientless VPN or ASDM -and- if you have ssl server-version any then you are at risk due to the clients browser negotiating down to SSLv3.

Hope this helps.

Tim

The list of fixed releases

tdargis — Mon, 03 Nov 2014 18:43:13 GMT

The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.

Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.

Finally, there is no indication of when a fixed release might be available. Can you comment?

Does anyone know if the CISCO

alexandrepacheco — Tue, 04 Nov 2014 22:07:45 GMT

Does anyone know if the CISCO ASA 9.1(5) is affected?. Device Type: 5525.

Where do I get this information?.

Thank you.

Yes, it is.Please refer t the

Marvin Rhoads — Tue, 04 Nov 2014 23:09:23 GMT

Yes, it is.

Please refer t the link I provided earlier and, in that page, under affected products you can see a follow-on link to the actual BugID for the ASA (cisco.com login required).

Are you sure? I see nothing

chmossyyz — Wed, 05 Nov 2014 20:43:04 GMT

Are you sure? I see nothing that indicates v9.1(5) is vulnerable, only v9.1(1). Some clarity would be nice on this topic as earlier in this thread you agree that because 9.1(3) isn't mentioned you can't say for sure if it's vulnerable. Then to the question of v9.1(5) you agree it is..

Cisco has updated the BugID

Marvin Rhoads — Thu, 06 Nov 2014 16:18:15 GMT

Cisco has updated the BugID since my original posting to indicate the ASA vulnerability applies to " 9.1.2 and later".

Reference.

Yep, I had opened a ticket

chmossyyz — Thu, 06 Nov 2014 16:21:40 GMT

Yep, I had opened a ticket last night specifically mentioning the advisory and received confirmation. Glad they updated the article! 🙂

"Yes, the ASA version 9.1.5 is vulnerable. The fixed release is ASA version 9.2(2.103) and 9.3(1.1). So any versions before these versions are vulnerable."

Hello. I have these 2

gnazer — Wed, 12 Nov 2014 16:23:49 GMT

Hello. I have these 2 commands running

ssl server-version tlsv1-only
ssl client-version tlsv1-only

But when I run this tool https://www.ssllabs.com the vulnerability still there...

Cisco ASA 5520 9.0(1)

Thanks