cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

CSCus08101 - ASA evaluation of Poodle Bites in TLSv1

rhoisington3
Beginner
Beginner

Will Cisco provide an update to the legacy ASA product line like the 5510, 5520, 5540?  Code seems to have stopped for these platforms.

28 REPLIES 28

Jason Pepling
Beginner
Beginner

Interium update 915-20-k8.bin released on Dec. 19th patches the POODLE SSL3.0 exploit on the ASA but what about the TLSv1.0 exploit also?

Hello Guys,

 

the POODLE SSL3.0 and TLSv1.0 bug is fixed in Release 8.4(7)26. I have testet this Image and can acknowledge the functionality.

 

According to my Information which received from TAC it should be also fixed in 9.0.4 and 9.1.6. But i had not tested these Images by myself.

You can quick check POODLE vulnerabilities at:

https://www.ssllabs.com/ssltest/

 

Best Regards

Ayhan

 

 

Hello,

 

I can also confirm that the bug is fixed in  8.2.5.55. I have tested that image. According to Cisco, the list of fixed releases is as follows:

8.2 Train: 8.2.5.55
8.4 Train: 8.4.7.26
9.0 Train: 9.0.4.29
9.1 Train: 9.1.6
9.2 Train: 9.2.3.2
9.3 Train: 9.3.2.2

 

 

 

Was told in an open case on the 24th of February it was slated for release the next day barring any further delays. Obviously there was something that held up the process judging by the situation today. Still waiting for 9.1.6 to release for multiple ASA platforms here...

9.1.6 is out go grab it!

Although I can't seem to really find any release notes on it.. Maybe I'm too quick! :)

 

 

To anyone looking for it, make sure to expand the "Latest" section on the left side. 9.1.5 still is the one showing up as recommended when you first get to the download page.

The 9.1.6 release is for only the SMP edition. We need the non-SMP edition. Cisco, any ETA for Non-SMP?

Let's make this even more exciting... 9.1.6 seems to have been pulled from the Download Center. Anyone have any idea why? It was up earlier but is gone now.

 

Also, I downloaded the SMP version before and it definitely did NOT have SMP in the filename... and it is working on my 5505 in the lab here.

 

 

EDIT: 1:36pm: and it's back online for all platforms!

In the release notes the bug can not be found as fixed for 9.1.6 : 

https://tools.cisco.com/bugsearch/search?kw=*&pf=prdNm&pfVal=279513386&rls=9.1(5.20),9.1(5.21),9.1(6)&sb=fr&sts=fd&svr=3nH&srtBy=byRel)

 

In the bug article (https://tools.cisco.com/bugsearch/bug/CSCus08101 ) is said it would be fixed in 9.1.6, but 9.1.6 is released but it does not appear in the "known fixed releases" section ?

Got confirmation from TAC. Bug is solved in the currently released 9.1.6

Hi all,

I upgraded to 9.2.4 on my 5585-X. But, when i tested via browser with TLS1.2 only (IE), the pages is error.

Then, is this version (9.2.4) fix CSCus08101?

Thanks.

I can confirm, that right now on my 5515X I have 9.3.2(200) installed and the above SSL test site STILL shows the POODLE BITES 

 

This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F.

Of course you're vulnerable. You need ASA 9.3(2)2, not 9.3(2.200).

I never saw, nor do I currently see a 9.3(2).2 (or variations).

I have updated one of my 5515X to 9.4.1 and I am now seeing a A- instead of an F. So that is MUCH better.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: