Outdated OpenSSL package - does ASA have Open SSL ?

Zubair.Sayed_2 · ‎03-20-2013

Hi All,

On one of our firewalls we hosting a application/service which impacts clients and we recently conducted a Pen test, the external company doing the Pen test have advised us that there is a vulnerability relating to OpenSSL. We have checked the server and there is no OpenSSL installed so the only place where it could be picking this up is on the ASA, is this correct?

Here is the report from the company that conducted the test:

4.3 Network Security

An outdated OpenSSL package was identified that was vulnerable to a heap corruption bug that may be exploited by an attacker to acquire command execution on the host, or to create denial of service conditions.

Table 7 provides an overview of the risk identified per network assessment category, along with recommendations for resolving the issues identified. Category	Risk	Summary	Recommendations
Patch Management	High	The OpenSSL package installed on one host was identified as being outdated and subject to a heap corruption bug.	Update the outdated / vulnerable OpenSSL package to the latest stable version.

We have an ASA5520 and running the following version:

Cisco Adaptive Security Appliance Software Version 8.2(5)2

How do we check the OpenSSL on the ASA and secondly do we need to update the ASA software version ???

Thanks

Zubair

Marcin Latosiewicz · ‎03-20-2013

Zubair,

Yes we use parts of openssl. As mentioned in opensource/free license information.

http://www.cisco.com/en/US/docs/security/asa/asa82/license/opensrce.html#wp71205

What is the specific vulnarability that was found?

M.

Zubair.Sayed_2 · ‎03-20-2013

Marcin,

Thank you for the response.

This is the vulnerability:

"An outdated OpenSSL package was identified that was vulnerable to a heap corruption bug that may be exploited by an attacker to acquire command execution on the host, or to create denial of service conditions."

They suggest we do the following:

"Update the outdated / vulnerable OpenSSL package to the latest stable version"

Thanks

Zubair

Marcin Latosiewicz · ‎03-20-2013

Zubair,

We need to know CVE (like CVE-2012-4659 ) , this is how you can check whether ASA is affected.

Our PSIRT (cisco.com/go/psirt) is publishing advisories and mentiones CVE (typically).

So you can find, for example:

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa

M.

peter.hewitt1 · ‎01-07-2015

Hello, I am receiving a similar error for ASA 8.2.3. The Open Source license linked above only shows that the license exists, not the version of OpenSSL that goes with a given ASA version. The vulnerability is related to CVE-2008-7270, which apparently is not referenced in the PSIRT database and only as part of a bunch of other alerts. Is there an ASA command to derive the OpenSSL version in use?

- Pete

Marcin Latosiewicz · ‎01-07-2015

Pete,

I don't believe we publish anything outside except version 1.0/0.9 etc.

For your particular vulnerability have a look at:

https://tools.cisco.com/bugsearch/bug/CSCtk61443/?referring_site=bugqvinvisibleredir

This is fixed in 8.2.5 and newer.

M.

peter.hewitt1 · ‎01-07-2015

That helps a great deal, we're going to do the 8.2.5 upgrade this week. Thanks for your reply!

- Pete