Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2874
Views
0
Helpful
7
Replies

CSCvg97652 - Legacy Cisco ASA 5500 may be vulnerable to a Bleichenbacher attack on TLS

Christian Jorge
Level 1
Level 1

‎12-18-2017 04:08 AM - edited ‎03-20-2019 09:46 PM

Good morning

 

I have an ASA firewall, version 9.1.7 pure.

It's not clear for me, checking de Cisco bug ID:

- this bug only affects 9.1.7(16) release or any 9.1.7.x release?

- does this bug affect ASA asdm/ssh access or only VPN access?
- how can I check in ASA configuration the vulnerability?

Regards

Christian

3 people had this problem
Labels:
0 Helpful
7 Replies 7

Pawel Bajorek
Level 1
Level 1

‎12-19-2017 12:37 AM

You may check this with: https://robotattack.org/#check

 

Pawel

0 Helpful

Christian Jorge
Level 1
Level 1
In response to Pawel Bajorek

‎12-19-2017 03:40 AM

Interesting article, appreciate your help

but I need something more practical and specific to firewall ASA

Regards

Christian

0 Helpful

Pawel Bajorek
Level 1
Level 1
In response to Christian Jorge

‎12-19-2017 03:46 AM

This bug is for VPN accesss

 

You must wait for next interim version or " Configure "ssl encryption" to only allow cipher suites based on Diffie-Hellman key exchange (like "dhe-aes128-sha1" and "dhe-aes256-sha1"). This mitigation may have an impact on interoperability with legacy clients that might not support these ciphers."

 

Paweł

0 Helpful

Solutionary
Level 1
Level 1

‎12-19-2017 09:21 AM - edited ‎12-19-2017 01:29 PM

TAC advised me that anything pre 9.1.7.x can also be considered vulnerable for what that is worth. Also as far as checking your ASA here is how I have done it:

 

Conditions:
- ASA 5505, 5510, 5520, 5540 or 5550 - show version (if you are not sure)

- An SSL trustpoint associated with a 2048-bit RSA key is configured on the ASA. - show crypto ca certificates (this will show you what if any certificates are associated with an ssl trustpoint on your device)
- Cipher suites relying on RSA for key exchange are allowed on the device (default configuration). - 

show ssl (this will show you what ssl ciphers your ASA has enabled)

 

Also keep in mind the following points that Cisco mentioned in the bug report:

 - SSL trustpoints associated with a 1024-bit RSA key are not affected by this issue.
 - ASA models not explicitly mentioned in the Symptom are not affected by this issue.

 

What doesn't make sense to me is that Cisco has listed 9.2(4.25) as a fixed software version, but none of the affected ASA hardware models (ASA 5505, 5510, 5520, 5540 or 5550) can be upgraded to that code. I need to know if and when an interim fix on the 9.1.7 code is going to be released. 

0 Helpful

Christian Jorge
Level 1
Level 1
In response to Solutionary

‎12-20-2017 05:26 AM

Thanks for your help

 

Could someone confirm: Is Any 9.1.7 release or patch so far vulnerable?

This vulnerability only affects truspoints created to be used by VPNs, not affecting ASDM access?

Regards

Christian

0 Helpful

Daragh Oman
Level 1
Level 1
In response to Solutionary

‎01-05-2018 04:05 AM - edited ‎01-05-2018 04:06 AM

Did you find out from Cisco TAC as when the fix ASA code within 9.1.7 train   .. I believe 9.1(7.21) is going to be publicly released and available for download ? 

Thanks,

 

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Daragh Oman

‎01-11-2018 06:54 AM

The new version is now available.

0 Helpful
Customers Also Viewed These Support Documents