08-14-2019 10:27 AM - edited 02-21-2020 09:24 AM
Our ASA 5512 with ASA software 9.8(3)8 was found being vulernable with the Bleichenbacher's Oracle Threat (ROBOT) vulnerability after scanning. IS there a new fix for this? I thought the fix should already have been applied in this ASA version.
If not, is there a work around for this?
Solved! Go to Solution.
08-14-2019 12:58 PM
It seems that command was for old version of hardware only, it won;t be available on the X series.
The ASA 5500-X platforms already integrate this capability to switch large modulus operations; therefore, crypto engine commands are not applicable on these platforms.
I guess the SSL encryption using the DH ciphers may be the only valid workaround besides seeing if it was fixed in the specified software versions as per the bug notes.
08-14-2019 11:53 AM - edited 08-14-2019 11:54 AM
I would have expected the fix to be in 9.8(3)8 too since the fixed releases for that bug were from Jan 2018 (your code is from Aug 2018)
08-14-2019 12:46 PM - edited 08-14-2019 12:47 PM
How do you Enable "crypto engine large-mod-accel" exactly?
(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Certification authority
(config)# crypto
08-14-2019 12:58 PM
It seems that command was for old version of hardware only, it won;t be available on the X series.
The ASA 5500-X platforms already integrate this capability to switch large modulus operations; therefore, crypto engine commands are not applicable on these platforms.
I guess the SSL encryption using the DH ciphers may be the only valid workaround besides seeing if it was fixed in the specified software versions as per the bug notes.
08-15-2019 12:56 PM
One more question. does changing the ciphers affect VPN clients in anyway? Or only management access?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: