cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
991
Views
15
Helpful
4
Replies

How to verify the OpenSSL version on Ironport ESA C390/C395?

hakan.topcu
Beginner
Beginner

Hello all,

with reference to CVE-2022-0778, how can I verify the opennssl version on Cisco ESA Ironport devices, type C390 or C395, running AsyncOS Version 12.5.?

I was given the following Bug ID, but I cannot access this resource with my account:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb25775

Further I was recommended to run the command "openssl version" on the Command Line, but this command is unknown on the ESA CLI.

Many thanks in advance

Regards, Hakan

4 Replies 4

UdupiKrishna
Cisco Employee
Cisco Employee

That command doesn't work in regular CLI available to administrators, it's a freebsd/linux command that works if there's backend/remote access to the device which is restricted to TAC only.

 

This bug is set to "customer-visible" and you should be able to see it. Try it again.

Just to give you a gist, ESA and SMA is running a version of OpenSSL which is vulnerable to CVE-2022-0778 but the fix is yet to released.

I would suggest working with TAC or subscribe to the bug to get updates on when the fix would be available.

 

Many thanks. Actual, I can access the Bug now. This was not the case some hours before.

The bug lists two versions as "known affected": 14.0.0-698 and 13.5.1(Renaissance)-277

We're running 12.5. Are you sure, our version is affected?

Where is this documented?

Is there a way to verify the openssl version other than with the linux command?

Thanks in advance / regards, Hakan

14.X.X being the latest release train, still runs openssl version 1.0.2. Though I haven't necessarily looked into an ESA with 12.5 I am positive its running a vulnerable version too.

Here's a document confirming the OpenSSL version used on AsyncOS 12 - https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-0/AsyncOS_12-0_for_Cisco_Email_Security_Appliances.pdf (search openssl or openssl 1.0.2)

 

I remember trying to tamper with nmap to identify an openssl version, but couldn't figure out a way to identify it on a remote machine.

IIRC its not purely OpenSSL, Cisco does have their own fork, called CiscoSSL where they've make some fixes....

I just wish that they'd modularize a few pieces, like this one, so we could swap in a new SSL without having to wait for the whole dev process to get done with it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers