cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1496
Views
5
Helpful
1
Replies

ASA 5540 and CVE-2018-15388

slonik220393
Level 1
Level 1

Good day.

 

I have an ASA 5540 running 9.1 (7) 21 in the park for connecting remote users via AnyConnect (WebVPN). Since the CVE-2018-15388 vulnerability was recently rolled out, and this piece of hardware last year had EoL, the question arose whether I could somehow avoid this vulnerability or would I constantly have to monitor the CPU load? And yet, what is the latest software version supported by 5540, 9.1 (7) 32?


Thanks in advance for your help.

1 Accepted Solution

Accepted Solutions

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Other than following the advice for the advisory and applying an ACL to block suspicious source IPs or rate-limiting when the CPU spike is detected you have one other option.

 

Although this ASA is offering a Anyconnect service, you could feasibly block certain IP ranges that have been allocated to certain RIRs. Say for example if you know users are never going to USA, Korea, China, Russia then look up the allocations for those countries and block them. Or it may be easy to look at it the other way and determine the list of subnets you wish to permit.

 

Agreed this may be a fairly onerous task but it is one way to partially preemptively mitigate the risk.

 

9.1(7)-32 is the current recommend release for the 5540. It is probably worth considering that it is quite old already and probably has a string of new vulnerabilities against it.

 

cheers,

Seb.

View solution in original post

1 Reply 1

Seb Rupik
VIP Alumni
VIP Alumni

Hi there,

Other than following the advice for the advisory and applying an ACL to block suspicious source IPs or rate-limiting when the CPU spike is detected you have one other option.

 

Although this ASA is offering a Anyconnect service, you could feasibly block certain IP ranges that have been allocated to certain RIRs. Say for example if you know users are never going to USA, Korea, China, Russia then look up the allocations for those countries and block them. Or it may be easy to look at it the other way and determine the list of subnets you wish to permit.

 

Agreed this may be a fairly onerous task but it is one way to partially preemptively mitigate the risk.

 

9.1(7)-32 is the current recommend release for the 5540. It is probably worth considering that it is quite old already and probably has a string of new vulnerabilities against it.

 

cheers,

Seb.

Review Cisco Networking for a $25 gift card