https://community.cisco.com/t5/network-security/do-i-need-to-patch-my-asa/m-p/3363540#M962882 <DIV class="usertext-body may-blank-within md-container "> <DIV class="md"> <P>Hello,</P> <P>I have a cisco asa 5525 and I found out there is a vulnerability ( cisco-sa-20180129-asa1 ) and I dont know if my version is vulnerable (my version is 9.6.3) . According to this site ( <A href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed</A> ) I think it is vulnerable but I'm not sure. Can you guys please help me ? Thanks a lot.</P> </DIV> </DIV> Fri, 21 Feb 2020 15:37:04 GMT toxqsd 2020-02-21T15:37:04Z https://community.cisco.com/t5/network-security/do-i-need-to-patch-my-asa/m-p/3363540#M962882 <DIV class="usertext-body may-blank-within md-container "> <DIV class="md"> <P>Hello,</P> <P>I have a cisco asa 5525 and I found out there is a vulnerability ( cisco-sa-20180129-asa1 ) and I dont know if my version is vulnerable (my version is 9.6.3) . According to this site ( <A href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed" target="_blank">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed</A> ) I think it is vulnerable but I'm not sure. Can you guys please help me ? Thanks a lot.</P> </DIV> </DIV> Fri, 21 Feb 2020 15:37:04 GMT https://community.cisco.com/t5/network-security/do-i-need-to-patch-my-asa/m-p/3363540#M962882 toxqsd 2020-02-21T15:37:04Z https://community.cisco.com/t5/network-security/do-i-need-to-patch-my-asa/m-p/3363548#M962883 <P>9.6.3 is an affected release. But the vulnerability can only be exploited if you have one of the features enabled as documented in the vulnerability documentation:</P> <TABLE border="3" cellspacing="0" cellpadding="6"> <THEAD> <TR> <TH><SPAN><STRONG>Feature</STRONG></SPAN></TH> <TH><SPAN><STRONG>Vulnerable Configuration</STRONG></SPAN></TH> </TR> </THEAD> <TBODY> <TR> <TD>Adaptive Security Device Manager (ASDM)<SUP>1</SUP></TD> <TD>http server enable &lt;port&gt;<BR />http &lt;remote_ip_address&gt; &lt;remote_subnet_mask&gt; &lt;interface_name&gt;</TD> </TR> <TR> <TD>AnyConnect IKEv2 Remote Access (with client services)</TD> <TD>crypto ikev2 enable &lt;interface_name&gt; client-services port &lt;port #&gt;<BR />webvpn<BR />&nbsp;&nbsp; anyconnect enable</TD> </TR> <TR> <TD>AnyConnect IKEv2 Remote Access (without client services)</TD> <TD>crypto ikev2 enable &lt;interface_name&gt;<BR />webvpn<BR />&nbsp;&nbsp; anyconnect enable</TD> </TR> <TR> <TD>AnyConnect SSL VPN</TD> <TD>webvpn<BR />&nbsp;&nbsp; enable &lt;interface_name&gt;</TD> </TR> <TR> <TD>Cisco Security Manager<SUP>2</SUP></TD> <TD>http server enable &lt;port&gt;<BR />http &lt;remote_ip_address&gt; &lt;remote_subnet_mask&gt; &lt;interface_name&gt;<SPAN>&nbsp;</SPAN></TD> </TR> <TR> <TD>Clientless SSL VPN</TD> <TD>webvpn<BR />&nbsp;&nbsp; enable &lt;interface_name&gt;</TD> </TR> <TR> <TD>Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port)</TD> <TD>aaa authentication listener &lt;interface_name&gt; port &lt;number&gt;</TD> </TR> <TR> <TD>Local Certificate Authority (CA)</TD> <TD>crypto ca server<BR />&nbsp;no shutdown</TD> </TR> <TR> <TD>Mobile Device Manager (MDM) Proxy<SUP>3</SUP></TD> <TD>mdm-proxy<BR />&nbsp; enable &lt;interface_name&gt;</TD> </TR> <TR> <TD>Mobile User Security (MUS)</TD> <TD>webvpn<BR />&nbsp;mus password &lt;password&gt;<BR />&nbsp;mus server enable port &lt;port #&gt;<BR />&nbsp;mus &lt;address&gt; &lt;mask&gt; &lt;interface_name&gt;</TD> </TR> <TR> <TD>Proxy Bypass</TD> <TD>webvpn<SPAN>&nbsp;</SPAN><BR />&nbsp; proxy-bypass</TD> </TR> <TR> <TD>REST API<SUP>4</SUP></TD> <TD>rest-api image disk0:/&lt;image name&gt;<BR />rest-api agent</TD> </TR> <TR> <TD>Security Assertion Markup Language (SAML) Single Sign-On (SSO)<SUP>5</SUP></TD> <TD>N/A</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>An upgrade to 9.6.4.3 is recommended if you any of the above features enabled.</P> Tue, 10 Apr 2018 15:52:34 GMT https://community.cisco.com/t5/network-security/do-i-need-to-patch-my-asa/m-p/3363548#M962883 Rahul Govindan 2018-04-10T15:52:34Z