Solved: Re: CSCuu83280 - Evaluation of OpenSSL - ASA 9.4(4)18

Daprafue_79 · ‎10-18-2018

We are using ASA 5585 with version 9.4(4)18 but this version doesn't appear neither affected or Fixed versions. Could anybody tell me if this version could be affected?

Thanks!!!

Seb Rupik · ‎10-18-2018

HI there,

Sadly you have to do a bit of sleuthing to work this out. The CVE relating to your bug:

https://nvd.nist.gov/vuln/detail/CVE-2015-1790

…mentions the openSSL versions vulnerable…

The opensource software for 9.4(1):

https://www.cisco.com/c/dam/en/us/td/docs/security/asa/asa94/license/open-source/Cisco_ASA_Series_941.pdf

…states that it uses 1.0.1l , so this version is vulnerable.

The patch notes for 9.4(4)18 do not mention the original CVE, but does mention for following CVE as being fixed in 9.4(4)17:

https://nvd.nist.gov/vuln/detail/CVE-2017-3737

..which mentions openSSL 1.0.2b

So…we can infer that the 9.4.(4)18 is running a newer version of openSSL 1.0.2b and therefore is not vulnerable to CSCuu83280.

:)

Cheers,

Seb.

View solution in original post

Seb Rupik · ‎10-18-2018