Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3045
Views
30
Helpful
5
Replies

CSCvg35618 - Referred 9.9.1.2 not available

gjburg
Level 1
Level 1

‎01-31-2018 05:50 AM - edited ‎03-20-2019 09:52 PM

Following the webvpn critical security notification is ASA version 9.9 which we use since december also affected. According to Cisco's reference is the first fixed version 9.9.1.2 which isn't available for download (yet).
The only version is 9.9.1 itself from december which is most likely 9.9.1.0,

When will 9.9.1.2 or higher become available?

 

36 people had this problem
Labels:
5 Replies 5

fschealth
Level 1
Level 1

‎01-31-2018 08:40 AM - edited ‎01-31-2018 09:33 AM

I just opened a TAC case to talk about this same thing and was told 9.9.1.2 is not yet finished and should be out in several days.  I was told however that its fixed in 9.9.1 regardless, which according to the link I will paste below is correct but I have no idea which Cisco team to believe.  The 9.9.1 release IS shown as a "fixed in" release though.  Confusing as hell.

Would like to point out however that the 9.9.1 code was released 17 December 2017 so I HIGHLY doubt its a valid "fixed in" for this bug.  Maybe but PROBABLY NOT.

 

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg35618/?reffering_site=dumpcr

 

2018-01-31 08_41_24-Bug Search - Internet Explorer.png

Tim Glen
Cisco Employee
Cisco Employee
In response to fschealth

‎01-31-2018 09:46 AM

I agree 9.9(1.2) is not available. 

I agree that CSCvg35618 is not listed as fixed in the ASA 9.9(1) Release Notes. 

 

However, I'd proffer that Cisco has known about this vulnerability for at least a few months. 

 

The security researcher who discovered this did extensive deep dives into the ASA during the month of September. 

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/cisco-asa-series-part-one-intro-to-the-cisco-asa/

 

Assumptions Below

We can ASSUME that the researcher made Cisco aware of this in the September timeframe because he works for a White Hat Org. Plus, I've seen Fixed Interim versions of ASA OS in Nov 2017 & Dev 2017 (over a full month before we heard about this).  

 

My feeling is that Cisco just issued this PSIRT because the researcher is going to be discussing this vulnerability at a conference in Brussels on Friday Feb 2, 2018. 

https://recon.cx/2018/brussels/talks/cisco.html

 

 

fschealth
Level 1
Level 1
In response to Tim Glen

‎01-31-2018 09:49 AM - edited ‎01-31-2018 09:50 AM

I was going to say this in the other thread but I will put it in here instead:

Well, crossing my fingers that 9.9(1) fixes this but man I don't trust the vendor.  How can I tell management its "probably" resolved?  "Maybe" resolved?

Cisco needs to get their act together as this kind of thing removes confidence that they are handling issues correctly and there is really no reason for it.  Management and organisational structure failure to have two different messages coming out of the same company about a security issue.

0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to fschealth

‎01-31-2018 09:59 AM

I agree that Cisco needs to get it together.   There is an obvious disconnect between the Bug Known Fixed and the PSIRT Known Fixed and the Release Notes Resolved Bugs. 

 

But honestly, it's not the first time. While I love the Bug Search Tool, the data in Bugs frequently isn't as detailed as I would like to see. 

 

HTH,   Tim

 

Please Rate Helpful Posts :)  

 

0 Helpful

fschealth
Level 1
Level 1
In response to Tim Glen

‎01-31-2018 09:51 AM

Thanks for the info Mr. Glen.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents