with reference to CVE-2022-0778, how can I verify the opennssl version on Cisco ESA Ironport devices, type C390 or C395, running AsyncOS Version 12.5.?
I was given the following Bug ID, but I cannot access this resource with my account:
Further I was recommended to run the command "openssl version" on the Command Line, but this command is unknown on the ESA CLI.
Many thanks in advance
That command doesn't work in regular CLI available to administrators, it's a freebsd/linux command that works if there's backend/remote access to the device which is restricted to TAC only.
This bug is set to "customer-visible" and you should be able to see it. Try it again.
Just to give you a gist, ESA and SMA is running a version of OpenSSL which is vulnerable to CVE-2022-0778 but the fix is yet to released.
I would suggest working with TAC or subscribe to the bug to get updates on when the fix would be available.
Many thanks. Actual, I can access the Bug now. This was not the case some hours before.
The bug lists two versions as "known affected": 14.0.0-698 and 13.5.1(Renaissance)-277
We're running 12.5. Are you sure, our version is affected?
Where is this documented?
Is there a way to verify the openssl version other than with the linux command?
Thanks in advance / regards, Hakan
14.X.X being the latest release train, still runs openssl version 1.0.2. Though I haven't necessarily looked into an ESA with 12.5 I am positive its running a vulnerable version too.
Here's a document confirming the OpenSSL version used on AsyncOS 12 - https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-0/AsyncOS_12-0_for_Cisco_Email_Security_Appliances.pdf (search openssl or openssl 1.0.2)
I remember trying to tamper with nmap to identify an openssl version, but couldn't figure out a way to identify it on a remote machine.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: