https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515361#M235598 <P>Another config that I forgot, but that also could be found by an assessment, is the accepted SSL/TLS-version of the ASA. This is the default:</P><P><CODE>asa# sh run all ssl<BR />ssl server-version any</CODE></P><P>Here you should change the setting to only accept TLSv1:</P><P><CODE>ssl server-version tlsv1-only</CODE></P><P>At least on up-to date operating systems I haven't seen any compatibility-issues with that.</P> Thu, 14 Aug 2014 06:20:53 GMT Karsten Iwen 2014-08-14T06:20:53Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515355#M235589 <P>&nbsp;</P><P>Hi everyone,</P><P>&nbsp;</P><P>Scan results shows that ASA 5520 config for ipsec and anyconnect ikev2 has following vulnerability</P><P><SPAN lang="EN">Medium strength ciphers supported-----The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.</SPAN></P><P>&nbsp;</P><P><SPAN lang="EN">Reconfigure the affected application if possible to avoid use of medium strength ciphers.</SPAN></P><P>&nbsp;</P><P><SPAN lang="EN">ASA is not using SSL anyconnect.</SPAN></P><P>SSL config on ASL</P><P>&nbsp;</P><P align="LEFT" dir="LTR"><SPAN lang="EN">ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5</SPAN></P><P align="LEFT" dir="LTR"><SPAN lang="EN">ssl trust-point ASDM_TrustPoint0 outside</SPAN></P><P align="LEFT" dir="LTR"><SPAN lang="EN">　 anyconnect ssl dtls enable</SPAN></P><P align="LEFT" dir="LTR"><SPAN lang="EN">　 anyconnect ssl keepalive none</SPAN></P><P align="LEFT" dir="LTR"><SPAN lang="EN">　 anyconnect ssl rekey time none</SPAN></P><P align="LEFT" dir="LTR"><SPAN lang="EN">　 anyconnect ssl rekey method none</SPAN></P><P align="LEFT" dir="LTR"><SPAN lang="EN">　 anyconnect ssl compression deflate</SPAN></P><P align="LEFT" dir="LTR"><SPAN lang="EN">vpn-tunnel-protocol ikev1 ssl-client</SPAN></P><P align="LEFT" dir="LTR">&nbsp;</P><P align="LEFT" dir="LTR"><SPAN lang="EN">To fix this do i need to remove config --</SPAN>anyconnect ssl dtls enable??</P><P align="LEFT" dir="LTR">Also currently FIPS is not enabled on ASA should i enable to get rid of scan results?</P><P align="LEFT" dir="LTR">&nbsp;</P><P align="LEFT" dir="LTR">Regards</P><P align="LEFT" dir="LTR">MAhesh</P> Tue, 12 Mar 2019 04:37:35 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515355#M235589 mahesh18 2019-03-12T04:37:35Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515356#M235591 <P>Hi Mahesh,</P><P>&nbsp;</P><P>It seems that still no updates from cisco against this vulnerability. They will release the new version of OS after fixing this vulnerability. You can go through the below mentioned link in detail.</P><P>&nbsp;</P><P>http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl</P><P>&nbsp;</P><P>Regards</P><P>Karthik</P> Wed, 13 Aug 2014 08:57:35 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515356#M235591 nkarthikeyan 2014-08-13T08:57:35Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515357#M235593 <P>With the following line in your config</P><P><CODE><SPAN lang="EN" lang="EN">ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5</SPAN></CODE></P><DIV>You are running ciphers that are weak. You should remove any rc4- and des-ciphers. If compatibility permits it, you could also remove 3des as a legacy algorithm.</DIV><DIV>&nbsp;</DIV><DIV>Depending on your version you could also enable the ciphers "dhe-aes128-sha1" and "dhe-aes256-sha1".</DIV><DIV>&nbsp;</DIV><DIV>DTLS has nothing to do with this.</DIV> Wed, 13 Aug 2014 12:15:16 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515357#M235593 Karsten Iwen 2014-08-13T12:15:16Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515358#M235595 <P>&nbsp;</P><P>Hi Karsten,</P><P>i checked my ASA i have below options</P><P>ssl encryption aes256-sha1 ?</P><P>configure mode commands/options:<BR />&nbsp; 3des-sha1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Indicate use of 3des-sha1 for ssl encryption<BR />&nbsp; aes128-sha1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Indicate use of aes128-sha1 for ssl encryption<BR />&nbsp; des-sha1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Indicate use of des-sha1 for ssl encryption<BR />&nbsp; dhe-aes128-sha1&nbsp; Indicate use of dhe-aes128-sha1 for ssl encryption<BR />&nbsp; dhe-aes256-sha1&nbsp; Indicate use of dhe-aes256-sha1 for ssl encryption<BR />&nbsp; null-sha1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Indicate use of null-sha1 for ssl encryption (NOTE: Data is NOT encrypted if this cipher is chosen)<BR />&nbsp; rc4-md5&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Indicate use of rc4-md5 for ssl encryption<BR />&nbsp; rc4-sha1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Indicate use of rc4-sha1 for ssl encryption</P><P>so below Config will take care of all the weak ciphers?</P><P><BR />5520(config)# <STRONG>ssl encryption aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1</STRONG></P><P>and i can do this on fly as it should not cause any outage.?</P><P>I can simply remove current ssl encryption config and replace it with above config?</P><P>Best Regards</P><P>MAhesh</P><P>&nbsp;</P> Wed, 13 Aug 2014 12:54:10 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515358#M235595 mahesh18 2014-08-13T12:54:10Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515359#M235596 <P>yes, just set the new ciphers-string and you are ready. I didn't test that, but I would assume that any running connection with a removed cipher *could* get disconnected. But you don't want them anyway and when they reconnect they will pick one of the better ciphers.</P> Wed, 13 Aug 2014 14:27:15 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515359#M235596 Karsten Iwen 2014-08-13T14:27:15Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515360#M235597 <P>&nbsp;</P><P>Hi Karsten,</P><P>&nbsp;</P><P>Many thanks for answering my post.</P><P>It was pretty hard for me to find answer for this over the internet.</P><P>Best Regards</P><P>Mahesh</P> Thu, 14 Aug 2014 02:35:36 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515360#M235597 mahesh18 2014-08-14T02:35:36Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515361#M235598 <P>Another config that I forgot, but that also could be found by an assessment, is the accepted SSL/TLS-version of the ASA. This is the default:</P><P><CODE>asa# sh run all ssl<BR />ssl server-version any</CODE></P><P>Here you should change the setting to only accept TLSv1:</P><P><CODE>ssl server-version tlsv1-only</CODE></P><P>At least on up-to date operating systems I haven't seen any compatibility-issues with that.</P> Thu, 14 Aug 2014 06:20:53 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515361#M235598 Karsten Iwen 2014-08-14T06:20:53Z https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515362#M235599 <P>&nbsp;</P><P>Thanks Karsten for more update on this.</P><P>Best Regards</P><P>Mahesh</P><P>&nbsp;</P> Fri, 15 Aug 2014 00:07:17 GMT https://community.cisco.com/t5/network-security/vulnerabilities-associated-with-asa-5520/m-p/2515362#M235599 mahesh18 2014-08-15T00:07:17Z