取消
显示结果 
搜索替代 
您的意思是: 
cancel
3622
查看次数
0
有帮助
2
回复

ASA 5512-X升级

jeffhe91713
Level 1
Level 1

您好,设备思科 ASA 5512-X,

目前的问题是:网监局通报,有安全漏洞的风险提示:Cisco任意文件读取漏洞(cve-2020-3452),建议更新Cisco组件版本。

咨询问题1:这个漏洞怎么处理?是否可以通过升级固件来改进?

咨询问题2:ASA 5512-X,目前os最高的版本是什么版本?能给出i下载路径吗?老版本跟最新的版本过度升级 需要注意什么?

非常感谢。!

2 条回复2

ilay
VIP
VIP

1. 可以将ASA的系统升级到思科对应的软件版本(或者比第一个修复版本更新的版本)即可修复该问题

Cisco ASA Software ReleaseFirst Fixed Release for This Vulnerability
Earlier than 9.61Migrate to a fixed release.
9.69.6.4.42
9.71Migrate to a fixed release.
9.89.8.4.20
9.99.9.2.74
9.109.10.1.42
9.129.12.3.12
9.139.13.1.10
9.149.14.1.10

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

2. ASA 5512-X最终的软件版本是9.12.(x),可以通过思科官方的下载页面进行下载,升级的时候需要考虑下当前的版本,如果ios版本在9.1.2之下的,需要参考ReleaseNote,找一个中间版本升级一下,如果是9.1.2或者更高版本,理论可以直接升级

ReleaseNote:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/release/notes/asarn912.html#ID-2152-0000000a

软件下载页面:

https://software.cisco.com/download/home/284143092/type/280775065/release/9.12.4%20Interim

 

 

 

 

 

您好,

首先您提及的这个漏洞在思科官方有给出Security Advisories

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Read-Only Path Traversal Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

 

判断是否受影响:

Affected Products

 

  • Vulnerable Products

    This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable AnyConnect or WebVPN configuration.

    ASA Software

    In the following table, the left column lists the Cisco ASA features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is configured for one of these features, it is vulnerable.

    Cisco ASA Feature Vulnerable Configuration
    AnyConnect IKEv2 Remote Access (with client services)
    crypto ikev2 enable  client-services port 
    AnyConnect SSL VPN
    webvpn
    enable
    Clientless SSL VPN
    webvpn
    enable
     

    FTD Software

    In the following table, the left column lists the Cisco FTD features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is configured for one of these features, it is vulnerable.

    On devices running Cisco FTD Software, the show running-config command is available from Diagnostic CLI mode only. To enter Diagnostic CLI mode, use the system support diagnostic-cli command in the regular Firepower Threat Defense CLI.

    Cisco FTD Feature Vulnerable Configuration
    AnyConnect IKEv2 Remote Access (with client services)1,2
    crypto ikev2 enable  client-services port 
    AnyConnect SSL VPN1,2
    webvpn
    enable
    1. Remote Access VPN features are enabled via Devices > VPN > Remote Access in the Cisco Firepower Management Center (FMC) or via Device > Remote Access VPN in Cisco Firepower Device Manager (FDM).
    2. Remote Access VPN features were first supported as of Cisco FTD Software Release 6.2.2.

咨询问题1:这个漏洞怎么处理?是否可以通过升级固件来改进?

Workarounds

 

  • There are no workarounds that address this vulnerability.

    To help detect and/or block attempts to exploit the vulnerability that is described in this advisory, customers who use the SSL Decryption feature for affected traffic on Cisco Firepower sensors can enable Snort rules 54598 through 54601, from SRU number 2020-07-22-001, by using the Cisco Firepower Management Center.

 

Fixed Releases

In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.

Cisco ASA Software

Cisco ASA Software Release First Fixed Release for This Vulnerability
Earlier than 9.61Migrate to a fixed release.
9.69.6.4.42
9.71Migrate to a fixed release.
9.89.8.4.20
9.99.9.2.74
9.109.10.1.42
9.129.12.3.12
9.139.13.1.10
9.149.14.1.10
1. Cisco ASA Software releases 9.5 and earlier, as well as Release 9.7, have reached end of software maintenance. Customers are advised to migrate to a supported release that includes the fix for this vulnerability.

Cisco FTD Software

Cisco FTD Software Release First Fixed Release for This Vulnerability
Earlier than 6.2.2Not vulnerable.
6.2.2Migrate to a fixed release.
6.2.36.2.3.16
6.3.0Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1
or
6.3.0.5 + Hot Fix1
or
6.3.0.6 (Fall 2020)
6.4.06.4.0.9 + Hot Fix1
or
6.4.0.10 (Fall 2020)
6.5.0Migrate to 6.6.0.1
or
6.5.0.4 + Hot Fix1
or
6.5.0.5 (Fall 2020)
6.6.06.6.0.1
1. For hot fix details please refer to the table below.

Cisco FTD Software Hot Fix Details

Cisco FTD Software Release Hot Fix File Names
6.3.0.5Cisco_FTD_Hotfix_AV-6.3.0.6-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_AV-6.3.0.6-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_AV-6.3.0.6-3.sh.REL.tar
6.4.0.9Cisco_FTD_Hotfix_BM-6.4.0.10-2.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_BM-6.4.0.10-2.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_BM-6.4.0.10-2.sh.REL.tar
Cisco_FTD_SSP_Hotfix_BM-6.4.0.10-2.sh.REL.tar
6.5.0.4Cisco_FTD_Hotfix_O-6.5.0.5-3.sh.REL.tar
Cisco_FTD_SSP_FP2K_Hotfix_O-6.5.0.5-3.sh.REL.tar
Cisco_FTD_SSP_FP1K_Hotfix_O-6.5.0.5-3.sh.REL.tar
Cisco_FTD_SSP_Hotfix_O-6.5.0.5-3.sh.REL.tar

To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following:

  • For devices that are managed by using Cisco Firepower Management Center (FMC), use the FMC interface to install the upgrade. After installation is complete, reapply the access control policy.
  • For devices that are managed by using Cisco Firepower Device Manager (FDM), use the FDM interface to install the upgrade. After installation is complete, reapply the access control policy.

咨询问题2:ASA 5512-X,目前os最高的版本是什么版本?能给出i下载路径吗?老版本跟最新的版本过度升级 需要注意什么?

最新:

Release 9.12.4 Interim

链接:

https://software.cisco.com/download/home/284143092/type/280775065/release/9.12.4%20Interim

升级可以,可以参考Release note:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/release/notes/asarn912.html#ID-2152-0000000a

Important Notes

&

Upgrade the Software

谢谢

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rps-Cheers | If it solves your problem, please mark as answer. Thanks !
快捷链接