Hi Nikko Malabanan

fatalXerror · ‎06-11-2015

Hi Experts,

Good Day!

I would like to seek for your assistance how to mitigate some vulnerabilities in my ASA with CX. I perform vulnerability test using Qualys into my ASA with CX and it hit me with a vulnerability named "TCP Sequence Number Approximation Based on Denial-of-Service". I did some research and I found out that most of the time BGP is prone to this vulnerability but my ASA is not running BGP protocol however, my ASA is just a pass-through for BGP peering of the Catalysts. Is that the reason why my Qualys detected it?

The thing is based on the documentation of this vulnerability, as a workaround I configured MD5 authentication for BGP peering in my switches and I ran again a VA scan and still the vulnerability is still there. I read thoroughly the vulnerability document and besides from the BGP protocol, Window Scaling is also part of this vulnerability which I configured for me to enhanced throughput.

Please help if one of you knows Qualys and how to mitigate this vulnerability.

Thanks,

Cheers,

Niks

rvarelac · ‎06-14-2015

Hi Nikko Malabanan

This vulnerability is only for routers and switches. The ASA firewall
platform is not affected.
 
Please check the following URL's for further reference:
 
TCP Vulnerabilities in Multiple IOS-Based Cisco Products:-
 
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-ios

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-nonios

Multiple Vulnerabilities in Cisco PIX and Cisco ASA:-
 http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080604-asa

Hope it helps

-Randy-

ASA Vulnerability Test