CSCvp80474 - OpenSSL vulnerability CVE-2019-1559 on SFOS

aswit · ‎01-07-2020

I can no longer trust Cisco to make any effort to patch their products for security vulnerabilities.CSCvp80474 has already been patched on the older ASA model that we we're prepared to buy until Cisco sold us on these new "Firepower" devices. I currently have 3 open tickets one about not being able to apply a CA signed security certificate to the web interface, another NAT rule corruption issue (which was partially solved by downgrading to 6.4, and now one with an OpenSSL vulnerability that allows decrypting the SSL VPN traffic. The solution given from Cisco TAC about all of these issues is they are fixed or expected to be fixed in version 6.7 and when I ask when 6.7 will be released I only get "Unfortunately we do not have any ETA for 6.7 as of now". Being that I have no control over the virtual ASA appliance I can't disable the vulnerable cipher suites. We are just ignored and nobody at Cisco seems to care!

Given that Cisco also seems to have a bad habit of hard coding credentials (https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200102-dcnm-auth-bypass from 6 days ago) I can't imagine what hidden vulnerabilities exist in this product.

Leo Laohoo · ‎01-07-2020

And what's the question?

aswit · ‎08-11-2020

I guess the question is that is it just normal for Cisco to ignore SSL errors on their appliances now?

I have also noticed that even on the most recent version of FTD it won't accept any SSL certificate other than the built in self-signed certificate.

aswit · ‎05-29-2021

I hate to post a message on such an old topic but I just wanted to let the community know how GLAD I was to have switched from FTD to ASA. I recently had to opportunity to return a faulty NGFW so before I packaged it up I installed the latest starred release 6.6.4 and you still cannot install your own SSL certificate... And it's the same error SSP Server Unavailable.