Can't all webvpn configuration be removed while still allowing the AnyConnect client? I realize some functions like distributing client via ASA would be lost but the AnyConnect functionality for existing clients would continue to function, no?
Yes removing enable Outside would break AnyConnect because you are disabling the HTTPS service on the ASA that listens for the AnyConnect request.
Hi, I just checked, my ASA firewall is not using webvpn on any interface. However, I do see that it is listening on SSL port 443 on the management IP that I'm using to access the ASA. Does the ASA considered as affected to this vulnerability then? Appreciate the feedback. Thanks!
If you run show runn webvpn and there is no output then you do not have WebVPN enabled and you are not vulnerable.
I assume you have http server enable 443 in your config. This PSIRT \ bug does not affect the ADSM listener.
HTH, Please rate!
It looks like the latest update states you must have webvpn enabled on an interface. Also they state "An SSL and DTLS listen socket on TCP port 443 must be present in order for the vulnerability to be exploited"
This makes it sound like you have to have DTLS enabled but then the above statement says "TCP port" which is not DTLS.
Our configuration uses Anyconnect but we do not leverage TLS/DTLS for transport. Based on the latest iteration of the advisory I believe I am free and clear but still waiting on the final word from TAC.