ASA firewall 5500 issue

moreamol13 · ‎01-06-2016

We have received following penetration vulnerability for Cisco ASA Firewall 5500 (S/N: JM164940Q0)

Vulnerabilities	Risk/Severity	Recommendation by vendor for closure of vulnerabilities
Multiple issues related to SSL certificates were identified on hosts mentioned below: • SSL Version 3 Protocol Detection • SSL Self-Signed Certificate • SSL Weak Cipher Suites Supported • Poodle attack is possible	Medium	It is recommended to implement these:- 1. Disable SSL 2.0/3.0 and use TLS 1.0, or higher instead. 2. Purchase or generate a proper certificate for this service. 3. Securely distribute and install the self-signed certificate to valid user's browser or if possible prefer to use a certificate signed by a trusted authority.
Multiple issues related to SSH were identified on hosts mentioned below: 1. SSH Server CBC Mode Ciphers Enabled 2. SSH Protocal version 1.x is running on the reomte serverr	Medium	Contact the vendor or consult product documentation to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption

moreamol13 · ‎01-06-2016

plz tell me solution for this ,its very ungent

Karsten Iwen · ‎01-06-2016

You are running a legacy (non-X) ASA? Then you are quite limited what you can do.

Upgrade to the latest ASA-software.
Disable SSHv2 and do some baseline-security. But there is nothing to disable CBC.
For TLS: disable SSL and allow only strong ciphers:

ssl server-version tlsv1-only
ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1

With a newer ASA (X-Models) there are some more options available.

> plz tell me solution for this ,its very ungent

This is a community-based forum where people help in their free time. If it's really urgent, you should open a TAC-case.

ted.schwind · ‎02-07-2016

CSCuv19728 for the SSH issue.