Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1655
Views
10
Helpful
4
Replies

ASA 5520 9.1(7)23 and Bug CSCvp36425

reed_simko
Level 1
Level 1

‎07-12-2019 02:54 PM - edited ‎02-21-2020 09:18 AM

Good evening everyone.

The bug I referenced above is a high severity and I happen to have an old end of life ASA 5520 that shows on the "Products confirmed not vulnerable" list.  My general concern is that I ran the "show asp table socket | i SSL|DTLS" command and got a similar output showing that it could be vulnerable.

 

Just wanted to get someone else's opinion on it.  Again this ASA is end of life and it's being decommissioned once we migrate everything that it's doing off to the new firewall.  Appreciate any info.

 

# sh ver

Cisco Adaptive Security Appliance Software Version 9.1(7)23 

Device Manager Version 7.9(1)

 

# sh asp table socket | include SSL|DTLS

SSL       001c9728  LISTEN     1**.1**.1**.1**:443                           0.0.0.0:*                                    

SSL       001cfe48  LISTEN     1**.1**.2**.2**:443                             0.0.0.0:*                                    

DTLS      001d0308  LISTEN     1**.1**.1**.1**:443                           0.0.0.0:*                                    

0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-12-2019 08:24 PM

Your ASA 5520 is not vulnerable to this bug.

As noted in the Security Advisory, "This vulnerability applies only to the ASA hardware platforms that use a specific cryptographic driver for SSL and TLS packet decryption and encryption."

The vulnerable products (ASA 5506, 5508 and 5516 series) all have a common cryptographic driver due to their use of a chipset (Cavium Octeon III 7130) unique to that hardware.

Ironically that chipset is intended to make the hardware platforms MORE secure. That is coincidentally why they all use the unique images with the "lfbff" string in the image name indicating digitally signed and verified images.

kumarpadala
Level 1
Level 1
In response to Marvin Rhoads

‎07-23-2019 05:29 AM - edited ‎07-23-2019 06:15 AM

Can anyone please confirm is this bug hitting on ASA Software Version 9.4(4)16 with ASA 5516-X with FirePOWER services also? because I don't see any sessions are opened from below output based on Cisco.

We have AnyConnect running on this appliance.

sec/act/asa5516# sh asp tabl sock | i SSL|DTLS
SSL 000014a8 LISTEN 1X.X.X.1:443 0.0.0.0:*
SSL 000032e8 LISTEN X.X.X.X:443 0.0.0.0:*
DTLS 00112f38 LISTEN X.X.X.X:443 0.0.0.0:*
SSL 013c3fb8 ESTAB 1X.X.1.1:443 1X.X.X.X:63877
SSL 0065f498 ESTAB 1X.X.1.1:443 1X.X.X.X:63881

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kumarpadala

‎07-23-2019 05:59 AM

@kumarpadala yes your platform is affected given the 9.4(4)16 software version you are running.

I'd recommend you upgrade to one of the "gold star" releases listed here:

https://software.cisco.com/download/home/286285782/type/280775065/release/9.9.2%20Interim

 

kumarpadala
Level 1
Level 1
In response to Marvin Rhoads

‎07-23-2019 06:09 AM

Thanks a lot, Marvin for your quick reply, appreciated your help on this.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card