Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1282
Views
10
Helpful
7
Replies

CSCvg35618 - Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

Gregory Scholz
Level 1
Level 1

‎01-30-2018 08:41 AM - edited ‎03-20-2019 09:51 PM

Can't all webvpn configuration be removed while still allowing the AnyConnect client? I realize some functions like distributing client via ASA would be lost but the AnyConnect functionality for existing clients would continue to function, no?

 

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Tim Glen
Cisco Employee
Cisco Employee

‎01-30-2018 01:46 PM

Once you configure  'no webvpn'  the AnyConnect VPN Client will not be able to connect. 

 

 

0 Helpful

Gregory Scholz
Level 1
Level 1
In response to Tim Glen

‎01-30-2018 02:57 PM

Thanks. And it appears even leaving the "webvpn" global command but removing the "enable outside" sub-command also breaks AnyConnect.

 

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to Gregory Scholz

‎01-30-2018 03:28 PM - edited ‎01-30-2018 04:55 PM

Yes removing enable Outside would break AnyConnect because you are disabling the HTTPS service on the ASA that listens for the AnyConnect request. 

0 Helpful

selvyanasp
Level 1
Level 1

‎01-30-2018 07:04 PM

Hi, I just checked, my ASA firewall is not using webvpn on any interface. However, I do see that it is listening on SSL port 443 on the management IP that I'm using to access the ASA. Does the ASA considered as affected to this vulnerability then? Appreciate the feedback. Thanks!

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to selvyanasp

‎01-30-2018 07:10 PM

Hello 

 

If you run  show runn webvpn   and there is no output then you do not have WebVPN enabled and you are not vulnerable.

 

I assume you have   http server enable 443    in your config.   This PSIRT \ bug does not affect the ADSM listener. 

 

HTH, Please rate!

 

Tim

 

 

casdmg
Level 1
Level 1
In response to selvyanasp

‎01-31-2018 09:00 AM

It looks like the latest update states you must have webvpn enabled on an interface.  Also they state "An SSL and DTLS listen socket on TCP port 443 must be present in order for the vulnerability to be exploited"

 

This makes it sound like you have to have DTLS enabled but then the above statement says "TCP port" which is not DTLS.  

 

Our configuration uses Anyconnect but we do not leverage TLS/DTLS for transport.  Based on the latest iteration of the advisory I believe I am free and clear but still waiting on the final word from TAC. 

 

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to casdmg

‎01-31-2018 09:51 AM

Is your Transport IKEv2 for AnyConnect clients?  

 

You can check this with this command

show runn  | inc  vpn-tunnel-protocol

 

 

0 Helpful
Customers Also Viewed These Support Documents