cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
10
Helpful
7
Replies
Gregory Scholz
Beginner

CSCvg35618 - Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

Can't all webvpn configuration be removed while still allowing the AnyConnect client? I realize some functions like distributing client via ASA would be lost but the AnyConnect functionality for existing clients would continue to function, no?

 

7 REPLIES 7
Tim Glen
Beginner

Once you configure  'no webvpn'  the AnyConnect VPN Client will not be able to connect. 

 

 

Thanks. And it appears even leaving the "webvpn" global command but removing the "enable outside" sub-command also breaks AnyConnect.

 

Yes removing enable Outside would break AnyConnect because you are disabling the HTTPS service on the ASA that listens for the AnyConnect request. 

selvyanasp
Beginner

Hi, I just checked, my ASA firewall is not using webvpn on any interface. However, I do see that it is listening on SSL port 443 on the management IP that I'm using to access the ASA. Does the ASA considered as affected to this vulnerability then? Appreciate the feedback. Thanks!

Hello 

 

If you run  show runn webvpn   and there is no output then you do not have WebVPN enabled and you are not vulnerable.

 

I assume you have   http server enable 443    in your config.   This PSIRT \ bug does not affect the ADSM listener. 

 

HTH, Please rate!

 

Tim

 

 

It looks like the latest update states you must have webvpn enabled on an interface.  Also they state "An SSL and DTLS listen socket on TCP port 443 must be present in order for the vulnerability to be exploited"

 

This makes it sound like you have to have DTLS enabled but then the above statement says "TCP port" which is not DTLS.  

 

Our configuration uses Anyconnect but we do not leverage TLS/DTLS for transport.  Based on the latest iteration of the advisory I believe I am free and clear but still waiting on the final word from TAC. 

 

Is your Transport IKEv2 for AnyConnect clients?  

 

You can check this with this command

show runn  | inc  vpn-tunnel-protocol