03-23-2011 06:41 AM - edited 03-11-2019 01:11 PM
We are getting vulnerability scanned by a PCI company and keep getting failures that state "OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG". I've opened two TAC cases and TAC said that this vulnerability was addressed several versions back (we're currently running version 8.2.2 on our 5510 ASA). TAC made several small changes to attempt to address this issue but we keep failing with the same message. Has anyone ever failed their scan with this error and if so, what did you do to address this error?
Here is the detailed error:
OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Ciphersuite Change Issue
Synopsis :
The remote host allows resuming SSL sessions.
Description :
The version of OpenSSL on the remote host has been shown to allow
resuming session with a different cipher than was used when the
session was initiated. This means that an attacker that sees (e.g.
by sniffing) the start of an SSL connection can manipulate the OpenSSL
session cache to cause subsequent resumes of that session to use a
cipher chosen by the attacker.
See also :
http://openssl.org/news/secadv_20101202.txt
Solution :
Upgrade to OpenSSL 0.9.8q / 1.0.0.c or later.
Risk factor :
Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
Plugin output :
Session ID :
4e4c1b0b13d5e48b5421479419da1c95f8ca01da3f83eed7494f2d254389c9ec
Initial Cipher : TLS1_CK_RSA_WITH_AES_256_CBC_SHA (0x0035)
Resumed Cipher : TLS1_CK_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
CVE : CVE-2010-4180
BID : 45164
Other references : OSVDB:69565
Thanks,
John
04-04-2011 06:16 AM
Hi John,
The Cisco bug ID filed to track this vulnerability is CSCtk61443. You can read the details here:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtk61443The vulnerability will be fixed in an upcoming release of 8.2.4.8. Please open up a TAC case to request this image for your ASA.
Hope that helps.
-Mike
03-20-2013 05:45 AM
Hi Mike,
I seem to be having the same issue and I followed your bug and notice the bug says it has been fixed in version 8.2 (5).
We have an ASA 5520 and running Cisco Adaptive Security Appliance Software Version 8.2(5)2 and we conducted a Pen test recently and the company picked this error, see my thread below.
https://supportforums.cisco.com/thread/2206441?tstart=0
Thanks
- Zubair
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: