the advisory wasn't quite clear to me as it got 2 parts: webvpn feature enabled and the SSL and DTLS listen socket.
i got ASA that has no webvpn (it's just a NAT FW), but when i checked the show asp table socket output, it has SSL (no DTLS) listening on the "inside" and MGMT interface IP. my question is, do i still need to do an IOS upgrade even though webvpn is disabled?
# show run webvpn # <<< BLANK # show asp table socket | i SSL
SSL 00002e7f 172.x.x.130:443 0.0.0.0:* LISTEN <<< MGMT IP SSL 00005aef 172.x.x.13:443 0.0.0.0:* LISTEN <<< "inside" IP
# # show asp table socket | i DTLS # <<< BLANK
i also saw ASA FW (on 8.2) that has webvpn but it's not being applied to any interface. can i just safely remove (put a no) and not be vulnerable? not sure if webvpn was a default on older 8.2 image.
ntp server x.x.x.x webvpn username xx password yyy encrypted privilege 15
Unless webvpn is configured AND enabled on an interface, the ASA is not affected by the vulnerability, you are right there. Since ASDM and Webvpn uses both ssl, you see ssl listen on inside interface. But you would need SSL and DTLS for this vulnerability to be affecting on your device and that is when webvpn is enabled on any interface.
As a side note, since you mentioned about the 8.2 code, I would recommend an upgrade since that is quite old and EOS already. It has anyways multiple bugs and Cisco would not even support it if there are issues.
I would have a question. If two-factor authetication is in place with user cerificates. Does it mean that set of potentional attackers are the users with certificates only? Because only these users are able successfully enstablish SSL connection.
No matter how the users authenticate, its the vulnerability on the server(in this case, ASA) and affects if the conditions meet as per the link. Also, from the document:
A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
Community Live Event Video
Are you ready to level up your security? Learn more about how Cisco SecureX can help you simplify your security and maximize operational efficiency.
This event talks about Cisco SecureX, its benefits, features, and usage. Th...
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....