Solved: Is there workaround about Vulnerability sweet32 on Cisco ESA?

Waldemar Farinha Dias · ‎10-26-2017

Hello Team,

The last week We did a vulnerability scanning and it show us one vulnerability on Cisco ESA with firmware 10.0.1. (The vulnerability is "Sweet32").

I am researching some workaround, and I have found a bug “CSCvb48533, Known affected releases 10.5.0 and one upgrade is requited to the version 11.0".

As my version is 10.0.1, is it affected by the bug? Or does it only affect the version 10.5.0?

Please, Could me tell us any workaround?.

In the meantime, I'm still looking.

Thank you.

Best Regards,

Libin Varghese · ‎10-26-2017

That should be the below then:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb05563/?reffering_site=dumpcr

This vulnerability is specific to the DES and 3DES cipher suites, which can be disabled in all supported AsyncOS versions. To do this, simply add the following to all cipher specification in the 'sslconfig' command:

:-DES:-3DES

View solution in original post

Ken Stieers · ‎10-26-2017

And another quick Google search turned up that Sweet32 is an attack that specifically targets the TripleDES ciphers.

Just turn those off. To do that add ":!3DES" to your cipher strings.

View solution in original post

Libin Varghese · ‎10-26-2017

Can you share the CVE number listed on the vulnerability report?

- Libin V

Ken Stieers · ‎10-26-2017

A quick google turned up CVE-2016-2183

Libin Varghese · ‎10-26-2017

That should be the below then:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb05563/?reffering_site=dumpcr

This vulnerability is specific to the DES and 3DES cipher suites, which can be disabled in all supported AsyncOS versions. To do this, simply add the following to all cipher specification in the 'sslconfig' command:

:-DES:-3DES

Ken Stieers · ‎10-26-2017

And another quick Google search turned up that Sweet32 is an attack that specifically targets the TripleDES ciphers.

Just turn those off. To do that add ":!3DES" to your cipher strings.

Waldemar Farinha Dias · ‎10-27-2017

Hello Team,

Thank you all for your time and help.

I am going to try yours solution.

Thank you.

Best Regards,

Waldemar Farinha Dias · ‎10-27-2017

Hello Team,

I think that I have done it.

But I have another question about this.

As you can see:

Inbound SMTP ciphers:
RC4-SHA
RC4-MD5
!3DES
ALL
-aNULL
-EXPORT

3DES, aNULL and EXPORT aren´t used. But, Does this negations have priority to "use ALL"?. Would this be enough?

Thank you.

Best Regards,

Ken Stieers · ‎10-27-2017

Ciphers determine what ciphers and what order they are tried to build an encrypted connection.

Your string: RC4-SHA:RC4-MD5:!3DES:ALL:-aNULL:-EXPORT

does this:

add RC4-SHA

add RC4-MD5

REMOVE and don't allow 3DES to be added ever (that's what the ! does)

add Add ALL ciphers (including really crappy ones)

remove all NULL ciphers

remove Export strength ciphers.

This means that it tries the RC4 ciphers first... and they're as broken as the 3DES that your vulnerability scan complained about.

New ESAs are shipping with something like this:

MEDIUM:HIGH:!RC4:!aNULL:!MD:!DSS:!EXPORT:@STRENGTH

eg:

Add medium strength ciphers (added so those that are NOT keeping up can still send some sort of encrypted mail)

Add high strength ciphers

remove all RC4, NULL, MD5, DSS and EXPORT strength ciphers, don't let them get re-added

sort by strength (so stronger ciphers are tried first)

In your case, you can add the !3DES

eg.

MEDIUM:HIGH:!RC4:!aNULL:!MD:!DSS:!EXPORT:!3DES@STRENGTH

Here are some reference docs:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117855-technote-esa-00.html

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/210533-SSL-Cipher-Strength-Details.html

https://www.openssl.org/docs/man1.0.2/apps/ciphers.html

Waldemar Farinha Dias · ‎10-30-2017

Thank Ken,

I have understood the solution.

I am going to study add !RC4:!MD:!DSS:!EXPORT.

Thank you.

Best Regards,