Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4029
Views
10
Helpful
4
Replies

Cisco ASA SSL VPN Vulnerability

johnlloyd_13
Level 9
Level 9

‎01-31-2018 06:57 PM - edited ‎02-21-2020 07:15 AM

hi,

cisco recently released a security advisory/CVE regarding SSL VPN vulnerability.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

the advisory wasn't quite clear to me as it got 2 parts: webvpn feature enabled and the SSL and DTLS listen socket.

 

i got ASA that has no webvpn (it's just a NAT FW), but when i checked the show asp table socket output, it has SSL (no DTLS) listening on the "inside" and MGMT interface IP. my question is, do i still need to do an IOS upgrade even though webvpn is disabled?

 

# show run webvpn
#    <<< BLANK
# show asp table socket | i SSL

SSL       00002e7f  172.x.x.130:443            0.0.0.0:*               LISTEN   <<< MGMT IP 
SSL       00005aef  172.x.x.13:443             0.0.0.0:*               LISTEN    <<< "inside" IP 
                           
#
# show asp table socket | i DTLS
#   <<< BLANK

 

i also saw ASA FW (on 8.2) that has webvpn but it's not being applied to any interface. can i just safely remove (put a no) and not be vulnerable? not sure if webvpn was a default on older 8.2 image.

 

ntp server x.x.x.x
webvpn
username xx password yyy encrypted privilege 15

Labels:
0 Helpful
4 Replies 4

Ajay Saini
Level 7
Level 7

‎01-31-2018 08:40 PM

Unless webvpn is configured AND enabled on an interface, the ASA is not affected by the vulnerability, you are right there. Since ASDM and Webvpn uses both ssl, you see ssl listen on inside interface. But you would need SSL and DTLS for this vulnerability to be affecting on your device and that is when webvpn is enabled on any interface.

 

As a side  note, since you mentioned about the 8.2 code, I would recommend an upgrade since that is quite old and EOS already. It has anyways multiple bugs and Cisco would not even support it if there are issues.

 

-

HTH
AJ

Tomas R.
Level 1
Level 1
In response to Ajay Saini

‎02-01-2018 03:19 AM

Hello,

I would have a question. If two-factor authetication is in place with user cerificates. Does it mean that set of potentional attackers are the users with certificates only? Because only these users are able successfully enstablish SSL connection.

Thank you

Tomas
0 Helpful

Ajay Saini
Level 7
Level 7
In response to Tomas R.

‎02-01-2018 04:03 AM

Hello,

 

No matter how the users authenticate, its the vulnerability on the server(in this case, ASA) and affects if the conditions meet as per the link. Also, from the document:

A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

 

HTH

AJ

Tomas R.
Level 1
Level 1
In response to Ajay Saini

‎02-01-2018 05:14 AM

Hello,

 

thank you for response.

 

Regards

 

Tomas

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card