cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1858
Views
5
Helpful
4
Replies

Bleichenbacher attack on TLS CSCvg97652

hmc2500
Level 1
Level 1

Our ASA 5512 with ASA software 9.8(3)8 was found being vulernable with the Bleichenbacher's Oracle Threat (ROBOT) vulnerability after scanning. IS there a new fix for this? I thought the fix should already have been applied in this ASA version. 

 

If not, is there a work around for this?

1 Accepted Solution

Accepted Solutions

It seems that command was for old version of hardware only, it won;t be available on the X series. 

 

The ASA 5500-X platforms already integrate this capability to switch large modulus operations; therefore, crypto engine commands are not applicable on these platforms.

 

I guess the SSL encryption using the DH ciphers may be the only valid workaround besides seeing if it was fixed in the specified software versions as per the bug notes.  

View solution in original post

4 Replies 4

Ben Walters
Level 3
Level 3

I would have expected the fix to be in 9.8(3)8 too since the fixed releases for that bug were from Jan 2018 (your code is from Aug 2018)

 

9.2(4.25)
9.1(7.21)
 
There are 2 suggested workarounds from Cisco on this if you want to try them though. 
 
Workaround:
- Enable "crypto engine large-mod-accel" in the ASA configuration. This configuration change might reduce the maximum SSL throughput by up to 50%. This workaround is not available for the ASA 5505.
or
- Configure "ssl encryption" to only allow cipher suites based on Diffie-Hellman key exchange (like "dhe-aes128-sha1" and "dhe-aes256-sha1"). This mitigation may have an impact on interoperability with legacy clients that might not support these ciphers.

 

How do you Enable "crypto engine large-mod-accel" exactly? 

 

(config)# crypto ?

configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map

exec mode commands/options:
ca Certification authority
(config)# crypto

It seems that command was for old version of hardware only, it won;t be available on the X series. 

 

The ASA 5500-X platforms already integrate this capability to switch large modulus operations; therefore, crypto engine commands are not applicable on these platforms.

 

I guess the SSL encryption using the DH ciphers may be the only valid workaround besides seeing if it was fixed in the specified software versions as per the bug notes.  

One more question. does changing the ciphers affect VPN clients in anyway? Or only management access?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: