cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2040
Views
30
Helpful
14
Replies
jm.virtual01
Beginner

CSCvg35618 - Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

I am confuse for this bug.

My ASA 5510 Version is 

 

Cisco Adaptive Security Appliance Software Version 9.1(7)13
Device Manager Version 7.7(1)

 

Webvpn is enable on my outside interface.

I am using Cisco ASA 5510 pair.

I can see 9.1(7.20) is in fixed release, do i need to upgrade the software.

14 REPLIES 14
Tim Glen
Beginner

The version you are running is affected by this bug \ vulnerability, so yes you do need to upgrade your ASA OS. 

 

Here is a link to the Interim Release Notes,  unfortunately, the RN do not explicitly state this bug CSCvg35618 was fixed in any version.

 

https://www.cisco.com/web/software/280775065/131523/ASA-917-Interim-Release-Notes.html

 

 

 

 

Leo Laohoo
VIP Community Legend

The Release Notes takes time to get updated ("process" driven). Due to the nature of the business unit, the Security Notices gets updated very regularly.  So the Release Notes will be updated further down the track.

My ASA 5555 Version is 

Cisco Adaptive Security Appliance Software Version 9.8(2) Firepower Extensible Operating System Version 2.2(2.52) Device Manager Version 7.8(2)151

Webvpn is enable on my outside interface.

I am using Cisco ASA 5555 pair.

I dont see 9.8.2 listed in the Affected Releases as per URL:https://quickview.cloudapps.cisco.com/quickview/bug/CSCvg35618

do i need to upgrade the software?. Pls advise

The fix is for 9.8(2) is 9.8(2)14.

You say that but I was just told by TAC that that notice was not up to date and that we needed to look at the notice here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg35618/?reffering_site=dumpcr

Literally 20 minutes ago.  Its really annoying and I prefer the article you mention because its easy to clearly see what revision we should be going to, the ID the rep in TAC gave me has about 10 versions for 9.8.2 that its "fixed in"

 

This is great!!  (sarcasm).... 

 

The Interim Release Notes for 9.8.2 show that CSCvg35618 was fixed in 9.8(2.8). 

https://www.cisco.com/web/software/280775065/139997/ASA-982-Interim-Release-Notes.html

 

The Bug shows the Known First Fixed as 9.8(2.12)

 

 Bug_Search.jpg

 

The PSIRT shows 9.8(2.14) as First Fixed.

Cisco_Adaptive_Security_Appliance_Remote_Code_Execution_and_Denial_of_Service_Vulnerability.jpg

 

 

Here is what I would do.   The latest Interim Release on the Cisco Download Site is 9.8(2.17).  I would install that version. 

 

HTH

 

Thanks Tim, I see you have run into the same thing I have been hit by myself.  Lets play russian roulette with Cisco bugs and hope we dont get bit!

 

I myself am on 9.9.1 currently, which is listed as "known fixed" but the other bug id page shows 9.9.1.2 as the resolved version.  TAC is saying we are good but the advisory is saying something else.  Currently in a waiting state here, don't know which Cisco resource to believe.

I see that.  The bug states 9.9(1) is Known Fixed.  The PSIRT states 9.9(1.2) is First Fixed, however when I look at the Cisco Download Site 9.9(1) has no Interim Releases available.  

 

 

The security researcher who discovered this did extensive deep dives into the ASA during the month of September. 

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/cisco-asa-series-part-one-intro-to-the-cisco-asa/

 

Assumptions Below

We can ASSUME that the researcher made Cisco aware of this in the September timeframe because he works for a White Hat Org. Plus, I've seen Fixed Interim versions of ASA OS in Nov 2017 & Dev 2017 (over a full month before we heard about this).  

 

My feeling is that Cisco just issued this PSIRT because the researcher is going to be discussing this vulnerability at a conference in Brussels on Friday Feb 2, 2018. 

https://recon.cx/2018/brussels/talks/cisco.html

 

 

 

 

 

 

 

Hi I am new to Cisco world and I would like to know if someone can advise if this vulnerability is applies to ASA 5505 ?

 

I went through the steps to check if my router is affected and I dont think so because it is not running a FTD Software Release, at least I could not see when I ran the command: show version

 

ASA5505# show version

 Cisco Adaptive Security Appliance Software Version 9.2(4)5

Device Manager Version 7.5(1)

 

Thanks 

Tom Menezes

Gotta love it! We are doing 9.6(4) because apparently 9.6(3).20 has a Bug that requires manually device reboot every 200+ days. 

Leo Laohoo
VIP Community Legend


@JazzyJ wrote:

Gotta love it! We are doing 9.6(4) because apparently 9.6(3).20 has a Bug that requires manually device reboot every 200+ days. 


That is CSCvd78303 and Field Notice can be found HERE.

Thanks for the link!

JazzyJ

 

I don't believe that is accurate. 

 

That Field Notice is HERE.

Leo also mentioned the Bug is HERE

 

Specifically, the bug shows that 9.6(3) is affected by CSCvd78303.  However, this was fixed in 9.6(3.1).

This bug is not present in 9.6(3.20).  See screen shot below. 

 

Bug_Search.jpg

 

I hope this helps clarify. 

 

Tim

 

Please rate helpful posts.

 

Very helpful I was looking at the wrong item. Thank you!

J