cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1876
Views
0
Helpful
9
Replies
Tim Glen
Beginner

CSCvg35618 - Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

In the Known Fixed Releases section of this bug, it states the bug is fixed in ASA 9.6(3.18). 

 

When I read the 9.6(3) Interim Release Notes the bug is not listed as being fixed.

https://www.cisco.com/web/software/280775065/137781/ASA-963-Interim-Release-Notes.html

 

Can anyone confirm this is resolved in the latest interim release which is 9.6(3.20) ? 

 

Thanks!


Tim

 

 

9 REPLIES 9
Leo Laohoo
VIP Community Legend

The Release Notes takes time to get updated ("process" driven). I'd trust the Security Notice first.

So at 3 pm today I printed the Release Notes to a PDF so I could mark them up in my PDF reader. 

 

I opened a TAC case at 5 pm to discuss the confusion with an engineer.   When I was on the phone with the TAC engineer I refreshed the Release Notes on the web and the bug showed up.   Wa-la!   

 

Thanks,

 

Tim

 a TAC to us "Unfortunately version 9.6(1) it is affected, the fixed release is 9.6.3.20. We encourage to our customers to make the necessary upgrades that ensure security"

 

So we proceeded to upgrade to that version. Does this mean we will  need to upgrade again?

 

I agree with TAC that 9.6(1) is vulnerable. 

 

As of this weekend, slides have been made available that detail how to exploit this issue so upgrading to fixed version should be a priority. 

 

Please see the screenshot below for the versions that are known to be fixed.

Bug_Search.jpg

 

Hope this helps

I am already off 9.6.1  ... currently using 9.6.3.20...what i want to confirm if that one is now vulnerable ,,,

Leo Laohoo
VIP Community Legend

9.6(3)20 is not vulnerable.

Looks like 9.6.3.20 isnt good enough after an update to the bug report.

 

from tac “Initially, the fix for the issue was on 9.6(3)20 and above. However, after further research, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available to completely address the vulnerability.

If you want to fully fix the issue on your ASA 5545-X, you will need to upgrade to the version 9.6(4)3.”

@JRDIAZ758 

The slides from the Recon Conference are now public and I imagine exploit tools are being created right now.

 

The PSIRT was updated today. 9.6(3.20) is no longer considered Fixed.  For 9.6.x the First Fixed is now 9.6(4.3), see screenshot below.  Hope this helps,  Tim

 

Cisco_Systems.jpg

Leo Laohoo
VIP Community Legend

The reason why the table has been updated is because they've added a different vulnerability on top of the original one (adding to the confusion).