Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
457
Views
0
Helpful
2
Replies

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability CSCvg35618

msanclimenti
Level 1
Level 1

‎02-12-2018 05:16 AM

All

Over the weekend I upgraded a couple of ASA5545X firewalls to v9.6.4-3 that are in a HA pair. This upgrade fix the vulnerability CSC35618. A few hours later I received calls that no one could connect to the VPN using AnyConnect. The users were trying to access the VPN using their Windows 10 laptops. I was able to verify this. The error was   "The AnyConnect package on the secure gateway could not be located. You may
be experiencing network connectivity issues. Please try connecting again." I verified this error with my Windows 10 laptop. I was able to access the firewalls using my iPad with the AnyConnect client. Looking over the ASA configuration the AnyConnect image pointers under the webvpn section of the configuration was removed. I had to reenter the pointers and the VPN was operational.

The original ASA code was v 9.6.3(1) and VPN was working before the upgrade. If you need to do this upgrade and you are using AnyConnect, please verify the AnyConnect pointers are still present after the upgrade is completed.

webvpn

enable outside-internet

anyconnect image disk0:/anyconnect-win-4.5.01044-webdeploy-k9.pkg 1 (missing after the upgrade)

anyconnect image disk0:/anyconnect-macos-4.5.01044-webdeploy-k9.pkg 2 (missing after the upgrade)

anyconnect image disk0:/anyconnect-linux64-4.5.01044-webdeploy-k9.pkg 3 (missing after the upgrade)

anyconnect enable

tunnel-group-list enable

Labels:
0 Helpful
2 Replies 2

ddefoort
Level 1
Level 1

‎02-12-2018 05:28 AM

This will happen during the upgrade process you failover from the active to

the standby unit if the standby unit does not have the Anyconnect image on

it you will lose the pointer.

On Mon, Feb 12, 2018 at 9:46 AM, Michael Sanclimenti <community@cisco.com>

0 Helpful

msanclimenti
Level 1
Level 1
In response to ddefoort

‎02-12-2018 05:36 AM

Dennis

Both firewalls have the AnyConnect software in their directory and both firewalls have the AnyConnect pointers in the configuration before the upgrade. I have done upgrades in the past to address Cisco vulnerabilities on these firewalls with no AnyConnect issues. Also, I use the same procedure by upgrading the standby first, switching the firewall roles, upgrading the active, and then switching back the firewall roles. No downtime since there are IPSec connections in use. I cannot see any reason why an upgrade would remove configuration statements. I reviewed the notes for this vulnerability and there is no mention of reentering the AnyConnect pointers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card