03-20-2013 05:35 AM - edited 03-11-2019 06:16 PM
Hi All,
On one of our firewalls we hosting a application/service which impacts clients and we recently conducted a Pen test, the external company doing the Pen test have advised us that there is a vulnerability relating to OpenSSL. We have checked the server and there is no OpenSSL installed so the only place where it could be picking this up is on the ASA, is this correct?
Here is the report from the company that conducted the test:
4.3 Network Security
An outdated OpenSSL package was identified that was vulnerable to a heap corruption bug that may be exploited by an attacker to acquire command execution on the host, or to create denial of service conditions.
Table 7 provides an overview of the risk identified per network assessment category, along with recommendations for resolving the issues identified. Category | Risk | Summary | Recommendations |
Patch Management | High | The OpenSSL package installed on one host was identified as being outdated and subject to a heap corruption bug. | Update the outdated / vulnerable OpenSSL package to the latest stable version. |
We have an ASA5520 and running the following version:
Cisco Adaptive Security Appliance Software Version 8.2(5)2
How do we check the OpenSSL on the ASA and secondly do we need to update the ASA software version ???
Thanks
Zubair
03-20-2013 06:28 AM
Zubair,
Yes we use parts of openssl. As mentioned in opensource/free license information.
http://www.cisco.com/en/US/docs/security/asa/asa82/license/opensrce.html#wp71205
What is the specific vulnarability that was found?
M.
03-20-2013 06:32 AM
Marcin,
Thank you for the response.
This is the vulnerability:
"An outdated OpenSSL package was identified that was vulnerable to a heap corruption bug that may be exploited by an attacker to acquire command execution on the host, or to create denial of service conditions."
They suggest we do the following:
"Update the outdated / vulnerable OpenSSL package to the latest stable version"
Thanks
Zubair
03-20-2013 06:47 AM
Zubair,
We need to know CVE (like CVE-2012-4659 ) , this is how you can check whether ASA is affected.
Our PSIRT (cisco.com/go/psirt) is publishing advisories and mentiones CVE (typically).
So you can find, for example:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20121010-asa
M.
01-07-2015 10:26 AM
Hello, I am receiving a similar error for ASA 8.2.3. The Open Source license linked above only shows that the license exists, not the version of OpenSSL that goes with a given ASA version. The vulnerability is related to CVE-2008-7270, which apparently is not referenced in the PSIRT database and only as part of a bunch of other alerts. Is there an ASA command to derive the OpenSSL version in use?
- Pete
01-07-2015 10:55 AM
Pete,
I don't believe we publish anything outside except version 1.0/0.9 etc.
For your particular vulnerability have a look at:
https://tools.cisco.com/bugsearch/bug/CSCtk61443/?referring_site=bugqvinvisibleredir
This is fixed in 8.2.5 and newer.
M.
01-07-2015 11:16 AM
That helps a great deal, we're going to do the 8.2.5 upgrade this week. Thanks for your reply!
- Pete
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide