cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1417
Views
15
Helpful
4
Replies

How to verify the OpenSSL version on Ironport ESA C390/C395?

hakan.topcu
Level 1
Level 1

Hello all,

with reference to CVE-2022-0778, how can I verify the opennssl version on Cisco ESA Ironport devices, type C390 or C395, running AsyncOS Version 12.5.?

I was given the following Bug ID, but I cannot access this resource with my account:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb25775

Further I was recommended to run the command "openssl version" on the Command Line, but this command is unknown on the ESA CLI.

Many thanks in advance

Regards, Hakan

4 Replies 4

UdupiKrishna
Cisco Employee
Cisco Employee

That command doesn't work in regular CLI available to administrators, it's a freebsd/linux command that works if there's backend/remote access to the device which is restricted to TAC only.

 

This bug is set to "customer-visible" and you should be able to see it. Try it again.

Just to give you a gist, ESA and SMA is running a version of OpenSSL which is vulnerable to CVE-2022-0778 but the fix is yet to released.

I would suggest working with TAC or subscribe to the bug to get updates on when the fix would be available.

 

Many thanks. Actual, I can access the Bug now. This was not the case some hours before.

The bug lists two versions as "known affected": 14.0.0-698 and 13.5.1(Renaissance)-277

We're running 12.5. Are you sure, our version is affected?

Where is this documented?

Is there a way to verify the openssl version other than with the linux command?

Thanks in advance / regards, Hakan

14.X.X being the latest release train, still runs openssl version 1.0.2. Though I haven't necessarily looked into an ESA with 12.5 I am positive its running a vulnerable version too.

Here's a document confirming the OpenSSL version used on AsyncOS 12 - https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-0/AsyncOS_12-0_for_Cisco_Email_Security_Appliances.pdf (search openssl or openssl 1.0.2)

 

I remember trying to tamper with nmap to identify an openssl version, but couldn't figure out a way to identify it on a remote machine.

IIRC its not purely OpenSSL, Cisco does have their own fork, called CiscoSSL where they've make some fixes....

I just wish that they'd modularize a few pieces, like this one, so we could swap in a new SSL without having to wait for the whole dev process to get done with it.