In the Known Fixed Releases section of this bug, it states the bug is fixed in ASA 9.6(3.18).
When I read the 9.6(3) Interim Release Notes the bug is not listed as being fixed.
Can anyone confirm this is resolved in the latest interim release which is 9.6(3.20) ?
So at 3 pm today I printed the Release Notes to a PDF so I could mark them up in my PDF reader.
I opened a TAC case at 5 pm to discuss the confusion with an engineer. When I was on the phone with the TAC engineer I refreshed the Release Notes on the web and the bug showed up. Wa-la!
a TAC to us "Unfortunately version 9.6(1) it is affected, the fixed release is 22.214.171.124. We encourage to our customers to make the necessary upgrades that ensure security"
So we proceeded to upgrade to that version. Does this mean we will need to upgrade again?
I agree with TAC that 9.6(1) is vulnerable.
As of this weekend, slides have been made available that detail how to exploit this issue so upgrading to fixed version should be a priority.
Please see the screenshot below for the versions that are known to be fixed.
Hope this helps
Looks like 126.96.36.199 isnt good enough after an update to the bug report.
from tac “Initially, the fix for the issue was on 9.6(3)20 and above. However, after further research, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available to completely address the vulnerability.
If you want to fully fix the issue on your ASA 5545-X, you will need to upgrade to the version 9.6(4)3.”
The slides from the Recon Conference are now public and I imagine exploit tools are being created right now.
The PSIRT was updated today. 9.6(3.20) is no longer considered Fixed. For 9.6.x the First Fixed is now 9.6(4.3), see screenshot below. Hope this helps, Tim