cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


5460
Views
0
Helpful
4
Replies
Beginner

Sweet32 vulnerability workaround on Cisco ASA 5500

I failed PCI scan this month. Sweet32 vulnerability.

Testing SSL server 24.xxx.xxx.130 on port 443

Supported Server Cipher(s):
Accepted TLSv1 112 bits DES-CBC3-SHA

Currently I only have aes256 and 3des-sha1 active for ssl. If remove 3des-sha1, ASDM is not available.

Any work around? Thanks

4 REPLIES 4
Beginner

I did failed PCI scan with

I did failed PCI scan with sweet32 bug

Here is what I did for my ASA 5516x to pass the PCI scan for the sweet32  ; as described on CVE the Sweet32 vulnerability is  on  TLS using small size block cipher of 64 bit size; so I have forced  the asa to use stronger Cipher with large block size on tls :

here is the command I ran to force it

(config)#ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

The client and the asa did negotiate on aes256 making anyconnect connection and the PCI scan passed.

For the ASDM you might want see if you can updated it on your ASA to get it working with this change.

Let me know if that helped

Thanks

Younes

Highlighted
Beginner

Thanks for the no nonsense

Thanks for the no nonsense easy work around.

appreciate it.

Thanks

Keith

Beginner

I found that my version of

I found that my version of ASDM was using DHE-RSA-AES128-SHA if that was being offered.  I am running ASDM version 7.5(2)153.  

Removing the DES and 3DES choices but leaving one that is acceptable to ASDM clears the SWEET32 vulnerability.  I am sure there are other acceptable versions of ASDM.  Wireshark is your friend.

Cisco Employee

I found that my version of

I found that my version of ASDM was using DHE-RSA-AES128-SHA if that was being offered.  I am running ASDM version 7.5(2)153.  

Removing the DES and 3DES choices but leaving one that is acceptable to ASDM clears the SWEET32 vulnerability.  I am sure there are other acceptable versions of ASDM.  Wireshark is your friend.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here