Good evening everyone.
The bug I referenced above is a high severity and I happen to have an old end of life ASA 5520 that shows on the "Products confirmed not vulnerable" list. My general concern is that I ran the "show asp table socket | i SSL|DTLS" command and got a similar output showing that it could be vulnerable.
Just wanted to get someone else's opinion on it. Again this ASA is end of life and it's being decommissioned once we migrate everything that it's doing off to the new firewall. Appreciate any info.
# sh ver
Cisco Adaptive Security Appliance Software Version 9.1(7)23
Device Manager Version 7.9(1)
# sh asp table socket | include SSL|DTLS
SSL 001c9728 LISTEN 1**.1**.1**.1**:443 0.0.0.0:*
SSL 001cfe48 LISTEN 1**.1**.2**.2**:443 0.0.0.0:*
DTLS 001d0308 LISTEN 1**.1**.1**.1**:443 0.0.0.0:*
Your ASA 5520 is not vulnerable to this bug.
As noted in the Security Advisory, "This vulnerability applies only to the ASA hardware platforms that use a specific cryptographic driver for SSL and TLS packet decryption and encryption."
The vulnerable products (ASA 5506, 5508 and 5516 series) all have a common cryptographic driver due to their use of a chipset (Cavium Octeon III 7130) unique to that hardware.
Ironically that chipset is intended to make the hardware platforms MORE secure. That is coincidentally why they all use the unique images with the "lfbff" string in the image name indicating digitally signed and verified images.
Can anyone please confirm is this bug hitting on ASA Software Version 9.4(4)16 with ASA 5516-X with FirePOWER services also? because I don't see any sessions are opened from below output based on Cisco.
We have AnyConnect running on this appliance.
sec/act/asa5516# sh asp tabl sock | i SSL|DTLS
SSL 000014a8 LISTEN 1X.X.X.1:443 0.0.0.0:*
SSL 000032e8 LISTEN X.X.X.X:443 0.0.0.0:*
DTLS 00112f38 LISTEN X.X.X.X:443 0.0.0.0:*
SSL 013c3fb8 ESTAB 1X.X.1.1:443 1X.X.X.X:63877
SSL 0065f498 ESTAB 1X.X.1.1:443 1X.X.X.X:63881
@kumarpadala yes your platform is affected given the 9.4(4)16 software version you are running.
I'd recommend you upgrade to one of the "gold star" releases listed here: