Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5510
Views
0
Helpful
2
Replies

Repeated ASA 5510 failed vulnerability scan (OpenSSL error)

clippersbaseball
Level 1
Level 1

‎03-23-2011 06:41 AM - edited ‎03-11-2019 01:11 PM

We are getting vulnerability scanned by a PCI company and keep getting failures that state "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG".  I've opened two TAC cases and TAC said that this vulnerability was addressed several versions back (we're currently running version 8.2.2 on our 5510 ASA).  TAC made several small changes to attempt to address this issue but we keep failing with the same message.  Has anyone ever failed their scan with this error and if so, what did you do to address this error?

Here is the detailed error:

OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

Ciphersuite Change Issue

Synopsis :

The remote host allows resuming SSL sessions.

Description :

The version of OpenSSL on the remote host has been shown to allow

resuming session with a different cipher than was used when the

session was initiated. This means that an attacker that sees (e.g.

by sniffing) the start of an SSL connection can manipulate the OpenSSL

session cache to cause subsequent resumes of that session to use a

cipher chosen by the attacker.

See also :

http://openssl.org/news/secadv_20101202.txt

Solution :

Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later.

Risk factor :

Medium / CVSS Base Score : 4.3

(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Plugin output :

Session ID :

4e4c1b0b13d5e48b5421479419da1c95f8ca01da3f83eed7494f2d254389c9ec

Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)

Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

CVE : CVE-2010-4180

BID : 45164

Other references : OSVDB:69565

Thanks,

John

1 person had this problem
Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎04-04-2011 06:16 AM

Hi John,

The Cisco bug ID filed to track this vulnerability is CSCtk61443. You can read the details here:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk61443

The vulnerability will be fixed in an upcoming release of 8.2.4.8. Please open up a TAC case to request this image for your ASA.

Hope that helps.

-Mike

0 Helpful

Zubair.Sayed_2
Level 1
Level 1
In response to mirober2

‎03-20-2013 05:45 AM

Hi Mike,

I seem to be having the same issue and I followed your bug and notice the bug says it has been fixed in version 8.2 (5).

We have an ASA 5520 and running Cisco Adaptive Security Appliance Software Version 8.2(5)2 and we conducted a Pen test recently and the company picked this error, see my thread below.

https://supportforums.cisco.com/thread/2206441?tstart=0

Thanks

- Zubair

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card