https://community.cisco.com/t5/network-security/repeated-asa-5510-failed-vulnerability-scan-openssl-error/m-p/1653839#M559252 <HTML><HEAD></HEAD><BODY><P>Hi Mike,</P><P></P><P>I seem to be having the same issue and I followed your bug and notice the bug says it has been fixed in version 8.2 (5).</P><P></P><P>We have an ASA 5520 and running Cisco Adaptive Security Appliance Software Version 8.2(5)2 and we conducted a Pen test recently and the company picked this error, see my thread below.</P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2206441?tstart=0">https://supportforums.cisco.com/thread/2206441?tstart=0</A></P><P></P><P>Thanks</P><P>- Zubair</P></BODY></HTML> Wed, 20 Mar 2013 12:45:19 GMT Zubair.Sayed_2 2013-03-20T12:45:19Z https://community.cisco.com/t5/network-security/repeated-asa-5510-failed-vulnerability-scan-openssl-error/m-p/1653837#M559250 <P><SPAN style="background-color: #f8fafd;">We are getting vulnerability scanned by a PCI company and keep getting failures that state "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG".&nbsp; I've opened two TAC cases and TAC said that this vulnerability was addressed several versions back (we're currently running version 8.2.2 on our 5510 ASA).&nbsp; TAC made several small changes to attempt to address this issue but we keep failing with the same message.&nbsp; Has anyone ever failed their scan with this error and if so, what did you do to address this error?</SPAN></P><P></P><P><SPAN style="background-color: #f8fafd;">Here is the detailed error:</SPAN></P><P></P><P><STRONG style=": ; font-size: 8pt; font-family: Arial; "></STRONG></P><P align="left"><SPAN style="font-size: 12pt;">OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Ciphersuite Change Issue</SPAN></P><P></P><P><SPAN style="font-family: Arial; "></SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Synopsis :</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">The remote host allows resuming SSL sessions.</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Description :</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">The version of OpenSSL on the remote host has been shown to allow</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">resuming session with a different cipher than was used when the</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">session was initiated. This means that an attacker that sees (e.g.</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">by sniffing) the start of an SSL connection can manipulate the OpenSSL</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">session cache to cause subsequent resumes of that session to use a</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">cipher chosen by the attacker.</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">See also :</SPAN></P><P align="left"><SPAN style="font-size: 12pt;"><A class="jive-link-external-small" href="http://openssl.org/news/secadv_20101202.txt" target="_blank">http://openssl.org/news/secadv_20101202.txt</A></SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Solution :</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later.</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Risk factor :</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Medium / CVSS Base Score : 4.3</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Plugin output :</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Session ID :</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">4e4c1b0b13d5e48b5421479419da1c95f8ca01da3f83eed7494f2d254389c9ec</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">CVE : CVE-2010-4180</SPAN></P><P align="left"><SPAN style="font-size: 12pt;">BID : 45164</SPAN></P><P><SPAN style="font-size: 12pt;">Other references : OSVDB:69565</SPAN></P><P></P><P></P><P><SPAN style="background-color: #f8fafd;">Thanks,</SPAN></P><P><SPAN style="background-color: #f8fafd;">John</SPAN></P> Mon, 11 Mar 2019 20:11:35 GMT https://community.cisco.com/t5/network-security/repeated-asa-5510-failed-vulnerability-scan-openssl-error/m-p/1653837#M559250 clippersbaseball 2019-03-11T20:11:35Z https://community.cisco.com/t5/network-security/repeated-asa-5510-failed-vulnerability-scan-openssl-error/m-p/1653838#M559251 <HTML><HEAD></HEAD><BODY><P>Hi John,</P><P></P><P>The Cisco bug ID filed to track this vulnerability is CSCtk61443. You can read the details here:</P><P></P><SPAN><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtk61443">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCtk61443</A></SPAN><P></P><P>The vulnerability will be fixed in an upcoming release of 8.2.4.8. Please open up a TAC case to request this image for your ASA.</P><P></P><P>Hope that helps.</P><P></P><P>-Mike</P></BODY></HTML> Mon, 04 Apr 2011 13:16:49 GMT https://community.cisco.com/t5/network-security/repeated-asa-5510-failed-vulnerability-scan-openssl-error/m-p/1653838#M559251 mirober2 2011-04-04T13:16:49Z https://community.cisco.com/t5/network-security/repeated-asa-5510-failed-vulnerability-scan-openssl-error/m-p/1653839#M559252 <HTML><HEAD></HEAD><BODY><P>Hi Mike,</P><P></P><P>I seem to be having the same issue and I followed your bug and notice the bug says it has been fixed in version 8.2 (5).</P><P></P><P>We have an ASA 5520 and running Cisco Adaptive Security Appliance Software Version 8.2(5)2 and we conducted a Pen test recently and the company picked this error, see my thread below.</P><P></P><P><A _jive_internal="true" href="https://community.cisco.com/thread/2206441?tstart=0">https://supportforums.cisco.com/thread/2206441?tstart=0</A></P><P></P><P>Thanks</P><P>- Zubair</P></BODY></HTML> Wed, 20 Mar 2013 12:45:19 GMT https://community.cisco.com/t5/network-security/repeated-asa-5510-failed-vulnerability-scan-openssl-error/m-p/1653839#M559252 Zubair.Sayed_2 2013-03-20T12:45:19Z