topic Thank you Marvin. Just an FYI in Network Security

Vulnerabilities with ASA Service Module

aespanola — Fri, 21 Feb 2020 13:36:20 GMT

Cisco just recently releases security updates for ASA due to number of vulnerabilities (See below). We don't provide any DNS, DHCP or VPN services in our ASA but our software image is listed as affected. Do we really need to upgrade the code? How can we check if DNS, DHCP and IKE features are enabled or if they're running in ASA? Command 'show version' doesn't display it. Please advise.

Thanks in advance!

/Arnel

Cisco Releases Security Updates

10/21/2015 06:43 PM EDT

Original release date: October 21, 2015

Cisco has released updates to address multiple vulnerabilities in its Adaptive Security Appliance (ASA) software. Exploitation of these vulnerabilities could allow a remote attacker to cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Cisco security advisories on the ASA DNS Vulnerability 1, ASA DNS Vulnerability 2, ASA DHCP Vulnerability, and ASA IKE Vulnerability and apply the necessary updates.

Your running configuration

Marvin Rhoads — Fri, 23 Oct 2015 03:20:08 GMT

Your running configuration will tell you whether you are using any of the affected features.

DNS and DHCP can be found with:

show run | i dns

show run | i dhcp

IKEv1 is a little less straightforward as there are some IKE commands even in the factory default configuration, although they may not be used in many setups. Just inspect the configuration to see whether there are any site-site or remote access IPsec VPNs setup.

Thank you Marvin. Just an FYI

aespanola — Tue, 27 Oct 2015 16:29:55 GMT

Thank you Marvin.

Just an FYI.

The vulnerability says “if at least one DNS server IP address is configured under a DNS server group"

We only have domain-name configured but not a name-server so we're good.