1. 可以将ASA的系统升级到思科对应的软件版本(或者比第一个修复版本更新的版本)即可修复该问题
Cisco ASA Software Release | First Fixed Release for This Vulnerability |
Earlier than 9.61 | Migrate to a fixed release. |
9.6 | 9.6.4.42 |
9.71 | Migrate to a fixed release. |
9.8 | 9.8.4.20 |
9.9 | 9.9.2.74 |
9.10 | 9.10.1.42 |
9.12 | 9.12.3.12 |
9.13 | 9.13.1.10 |
9.14 | 9.14.1.10 |
2. ASA 5512-X最终的软件版本是9.12.(x),可以通过思科官方的下载页面进行下载,升级的时候需要考虑下当前的版本,如果ios版本在9.1.2之下的,需要参考ReleaseNote,找一个中间版本升级一下,如果是9.1.2或者更高版本,理论可以直接升级
ReleaseNote:
软件下载页面:
https://software.cisco.com/download/home/284143092/type/280775065/release/9.12.4%20Interim
您好,
首先您提及的这个漏洞在思科官方有给出Security Advisories
判断是否受影响:
This vulnerability affects Cisco products if they are running a vulnerable release of Cisco ASA Software or Cisco FTD Software with a vulnerable AnyConnect or WebVPN configuration.
In the following table, the left column lists the Cisco ASA features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is configured for one of these features, it is vulnerable.
AnyConnect IKEv2 Remote Access (with client services) | crypto ikev2 enable client-services port |
AnyConnect SSL VPN | webvpn |
Clientless SSL VPN | webvpn |
In the following table, the left column lists the Cisco FTD features that are vulnerable. The right column indicates the basic configuration for the feature from the show running-config CLI command. If the device is configured for one of these features, it is vulnerable.
On devices running Cisco FTD Software, the show running-config command is available from Diagnostic CLI mode only. To enter Diagnostic CLI mode, use the system support diagnostic-cli command in the regular Firepower Threat Defense CLI.
AnyConnect IKEv2 Remote Access (with client services)1,2 | crypto ikev2 enable client-services port |
AnyConnect SSL VPN1,2 | webvpn |
咨询问题1:这个漏洞怎么处理?是否可以通过升级固件来改进?
There are no workarounds that address this vulnerability.
To help detect and/or block attempts to exploit the vulnerability that is described in this advisory, customers who use the SSL Decryption feature for affected traffic on Cisco Firepower sensors can enable Snort rules 54598 through 54601, from SRU number 2020-07-22-001, by using the Cisco Firepower Management Center.
In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerability described in this advisory and the first release that includes the fix for this vulnerability.
Cisco ASA Software
Earlier than 9.61 | Migrate to a fixed release. |
9.6 | 9.6.4.42 |
9.71 | Migrate to a fixed release. |
9.8 | 9.8.4.20 |
9.9 | 9.9.2.74 |
9.10 | 9.10.1.42 |
9.12 | 9.12.3.12 |
9.13 | 9.13.1.10 |
9.14 | 9.14.1.10 |
Cisco FTD Software
Earlier than 6.2.2 | Not vulnerable. |
6.2.2 | Migrate to a fixed release. |
6.2.3 | 6.2.3.16 |
6.3.0 | Migrate to 6.4.0.9 + Hot Fix or to 6.6.0.1 or 6.3.0.5 + Hot Fix1 or 6.3.0.6 (Fall 2020) |
6.4.0 | 6.4.0.9 + Hot Fix1 or 6.4.0.10 (Fall 2020) |
6.5.0 | Migrate to 6.6.0.1 or 6.5.0.4 + Hot Fix1 or 6.5.0.5 (Fall 2020) |
6.6.0 | 6.6.0.1 |
Cisco FTD Software Hot Fix Details
6.3.0.5 | Cisco_FTD_Hotfix_AV-6.3.0.6-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_AV-6.3.0.6-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_AV-6.3.0.6-3.sh.REL.tar |
6.4.0.9 | Cisco_FTD_Hotfix_BM-6.4.0.10-2.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_BM-6.4.0.10-2.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_BM-6.4.0.10-2.sh.REL.tar Cisco_FTD_SSP_Hotfix_BM-6.4.0.10-2.sh.REL.tar |
6.5.0.4 | Cisco_FTD_Hotfix_O-6.5.0.5-3.sh.REL.tar Cisco_FTD_SSP_FP2K_Hotfix_O-6.5.0.5-3.sh.REL.tar Cisco_FTD_SSP_FP1K_Hotfix_O-6.5.0.5-3.sh.REL.tar Cisco_FTD_SSP_Hotfix_O-6.5.0.5-3.sh.REL.tar |
To upgrade to a fixed release of Cisco FTD Software, customers can do one of the following:
咨询问题2:ASA 5512-X,目前os最高的版本是什么版本?能给出i下载路径吗?老版本跟最新的版本过度升级 需要注意什么?
最新:
链接:
https://software.cisco.com/download/home/284143092/type/280775065/release/9.12.4%20Interim
升级可以,可以参考Release note:
&
谢谢