cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


192
Views
5
Helpful
4
Replies
Highlighted
Beginner

Bleichenbacher attack on TLS CSCvg97652

Our ASA 5512 with ASA software 9.8(3)8 was found being vulernable with the Bleichenbacher's Oracle Threat (ROBOT) vulnerability after scanning. IS there a new fix for this? I thought the fix should already have been applied in this ASA version. 

 

If not, is there a work around for this?

1 ACCEPTED SOLUTION

Accepted Solutions
Participant

Re: Bleichenbacher attack on TLS CSCvg97652

It seems that command was for old version of hardware only, it won;t be available on the X series. 

 

The ASA 5500-X platforms already integrate this capability to switch large modulus operations; therefore, crypto engine commands are not applicable on these platforms.

 

I guess the SSL encryption using the DH ciphers may be the only valid workaround besides seeing if it was fixed in the specified software versions as per the bug notes.  

4 REPLIES 4
Participant

Re: Bleichenbacher attack on TLS CSCvg97652

I would have expected the fix to be in 9.8(3)8 too since the fixed releases for that bug were from Jan 2018 (your code is from Aug 2018)

 

9.2(4.25)
9.1(7.21)
 
There are 2 suggested workarounds from Cisco on this if you want to try them though. 
 
Workaround:
- Enable "crypto engine large-mod-accel" in the ASA configuration. This configuration change might reduce the maximum SSL throughput by up to 50%. This workaround is not available for the ASA 5505.
or
- Configure "ssl encryption" to only allow cipher suites based on Diffie-Hellman key exchange (like "dhe-aes128-sha1" and "dhe-aes256-sha1"). This mitigation may have an impact on interoperability with legacy clients that might not support these ciphers.
Beginner

Re: Bleichenbacher attack on TLS CSCvg97652

 

How do you Enable "crypto engine large-mod-accel" exactly? 

 

(config)# crypto ?

configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map

exec mode commands/options:
ca Certification authority
(config)# crypto

Participant

Re: Bleichenbacher attack on TLS CSCvg97652

It seems that command was for old version of hardware only, it won;t be available on the X series. 

 

The ASA 5500-X platforms already integrate this capability to switch large modulus operations; therefore, crypto engine commands are not applicable on these platforms.

 

I guess the SSL encryption using the DH ciphers may be the only valid workaround besides seeing if it was fixed in the specified software versions as per the bug notes.  

Beginner

Re: Bleichenbacher attack on TLS CSCvg97652

One more question. does changing the ciphers affect VPN clients in anyway? Or only management access?