Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
893
Views
0
Helpful
8
Replies

firewall

pitchaimani.kamal
Level 1
Level 1

‎05-24-2016 12:56 AM - edited ‎03-12-2019 12:47 AM

Hi Guys,

  It seems there is a openssl Vulnerability for ASA. How to patch it, for ASA version 9.4.1 and is there any software update for it.

Regards,

G.Pitchaimani

Labels:
0 Helpful
8 Replies 8

Rishabh Seth
Level 7
Level 7

‎05-24-2016 02:09 AM

Hi, 

Could you please share the CVE id of the vulnerability which you are trying to patch.

Thanks,

RS

0 Helpful

pitchaimani.kamal
Level 1
Level 1
In response to Rishabh Seth

‎05-24-2016 03:00 AM

Hi,

The CVE id for 6 vulnerabilities listed below,
First,four of them may cause memory corruption or excessive memory usage, 2nd one, could allow a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI, and, 3rd one, is specific to a product performing an operation with Extended Binary Coded Decimal Interchange Code (EBCDIC) encoding.
CVE-2016-2105
CVE-2016-2106
CVE-2016-2107
CVE-2016-2108
CVE-2016-2109
CVE-2016-2176
Kindly, tell me how to patch it in the cisco ASA 5585 with the OS of 9.4.1
Regards,
G.Pitchaimani
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to pitchaimani.kamal

‎05-24-2016 06:53 AM

Hi,

Cisco ASA running release 9.0 or later may be affected by the following vulnerabilities.

Exposure is not configuration dependent.

Padding oracle in AES-NI CBC MAC check CVE-2016-2107

Memory corruption in the ASN.1 encoder CVE-2016-2108

ASN.1 BIO excessive memory allocation CVE-2016-2109

The ASA is not affected by the following vulnerabilities:

EVP_EncodeUpdate overflow CVE-2016-2105

EVP_EncryptUpdate overflow CVE-2016-2106

EBCDIC overread CVE-2016-2176

So while the ASA is not affected by the last 3, it may be affected by the first 3. There is no fixed version available yet but its being tracked via a Sev2 defect, so we should have the fix soon:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz52474/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

pitchaimani.kamal
Level 1
Level 1
In response to Aditya Ganjoo

‎05-26-2016 06:09 AM

Hi, Ok. So, when shall i expect the updates for these vulnerabilities Regards, G.Pitchaimani
0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to pitchaimani.kamal

‎05-26-2016 06:34 AM

Hi,

This being a Severity 2 bug expect a fix soon on this.

Apologies but I do not have an exact ETA for this.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

pitchaimani.kamal
Level 1
Level 1
In response to Aditya Ganjoo

‎06-01-2016 12:24 AM

Hi,

  Is there any patch came for these vulnerabilities.

Regards,

G.Pitchaimani

0 Helpful

pitchaimani.kamal
Level 1
Level 1
In response to pitchaimani.kamal

‎06-13-2016 10:21 AM

Hi, 

  Is there any update on OpenSSL vulnerabilities. Is there any patch available for OpenSSL Vulnerabilities.

Regards,

G.Pitchaimani

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to pitchaimani.kamal

‎06-13-2016 05:44 PM

Hi,

The bug has been resolved and the fixed versions are listed in the bug details.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz52474/?reffering_site=dumpcr

You can upgrade to the fixed versions to overcome this bug impact.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card