https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908250#M5697 <P>Our ASA 5512 with ASA software&nbsp;9.8(3)8 was found being vulernable with the <SPAN>Bleichenbacher's Oracle Threat (ROBOT) vulnerability&nbsp;</SPAN>after scanning. IS there a new fix for this? I thought the fix should already have been applied in this ASA version.&nbsp;</P><P>&nbsp;</P><P>If not, is there a work around for this?</P> Fri, 21 Feb 2020 17:24:19 GMT hmc2500 2020-02-21T17:24:19Z https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908250#M5697 <P>Our ASA 5512 with ASA software&nbsp;9.8(3)8 was found being vulernable with the <SPAN>Bleichenbacher's Oracle Threat (ROBOT) vulnerability&nbsp;</SPAN>after scanning. IS there a new fix for this? I thought the fix should already have been applied in this ASA version.&nbsp;</P><P>&nbsp;</P><P>If not, is there a work around for this?</P> Fri, 21 Feb 2020 17:24:19 GMT https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908250#M5697 hmc2500 2020-02-21T17:24:19Z https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908293#M5701 <P>I would have expected the fix to be in 9.8(3)8 too since the fixed releases for that bug were from Jan 2018 (your code is from Aug 2018)</P><P>&nbsp;</P><DIV class="whiteRow"><EM>9.2(4.25)</EM></DIV><DIV class="greyRow"><EM>9.1(7.21)</EM></DIV><DIV class="greyRow">&nbsp;</DIV><DIV class="greyRow">There are 2 suggested workarounds from Cisco on this if you want to try them though.&nbsp;</DIV><DIV class="greyRow">&nbsp;</DIV><DIV class="greyRow"><FONT size="2"><STRONG><EM>Workaround:</EM></STRONG></FONT><BR /><FONT size="2"><STRONG><EM>- Enable "crypto engine large-mod-accel" in the ASA configuration. This configuration change might reduce the maximum SSL throughput by up to 50%. This workaround is not available for the ASA 5505.</EM></STRONG></FONT><BR /><FONT size="2"><STRONG><EM>or</EM></STRONG></FONT><BR /><FONT size="2"><STRONG><EM>- Configure "ssl encryption" to only allow cipher suites based on Diffie-Hellman key exchange (like "dhe-aes128-sha1" and "dhe-aes256-sha1"). This mitigation may have an impact on interoperability with legacy clients that might not support these ciphers.</EM></STRONG></FONT></DIV> Wed, 14 Aug 2019 18:54:02 GMT https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908293#M5701 Ben Walters 2019-08-14T18:54:02Z https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908324#M5705 <P>&nbsp;</P><P><EM>How do you Enable "crypto engine large-mod-accel" exactly?&nbsp;</EM></P><P>&nbsp;</P><P>(config)# crypto ?</P><P>configure mode commands/options:<BR />ca Certification authority<BR />dynamic-map Configure a dynamic crypto map<BR />ikev1 Configure IKEv1 policy<BR />ikev2 Configure IKEv2 policy<BR />ipsec Configure transform-set, IPSec SA lifetime, and fragmentation<BR />isakmp Configure ISAKMP<BR />key Long term key operations<BR />map Configure a crypto map</P><P>exec mode commands/options:<BR />ca Certification authority<BR />(config)# crypto</P> Wed, 14 Aug 2019 19:47:35 GMT https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908324#M5705 hmc2500 2019-08-14T19:47:35Z https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908328#M5709 <P>It seems that command was for old version of hardware only, it won;t be available on the X series.&nbsp;</P><P>&nbsp;</P><P><EM>The ASA 5500-X platforms already integrate this capability to switch large modulus operations; therefore,&nbsp;<STRONG>crypto engine</STRONG>&nbsp;commands are not applicable on these platforms.</EM></P><P>&nbsp;</P><P>I guess the SSL encryption using the DH ciphers may be the only valid workaround besides seeing if it was fixed in the specified software versions as per the bug notes.&nbsp;&nbsp;</P> Wed, 14 Aug 2019 19:58:54 GMT https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908328#M5709 Ben Walters 2019-08-14T19:58:54Z https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908878#M5714 <P>One more question. does changing the ciphers affect VPN clients in anyway? Or only management access?</P> Thu, 15 Aug 2019 19:56:48 GMT https://community.cisco.com/t5/network-security/bleichenbacher-attack-on-tls-cscvg97652/m-p/3908878#M5714 hmc2500 2019-08-15T19:56:48Z