Solved: according to the release

alfredobosca · ‎02-26-2016

Hello,

We have detected the next vulnerability CVE-2016-1287 and Cisco advice upgrade to 9.1 version, but in my case would be so painful (current version still is the 8.2). Whereas, anybody knows if there is any workaround?

Thanks in advance,

benjamin.rickert11 · ‎02-26-2016

Hello,

referring to

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Section Workarounds states that there are currently no workarounds.

Regards

View solution in original post

David Castro F. · ‎02-28-2016

Hello Alfredo,

Version 8.2(5)59 is available, I actually patched 3 clusters with that interim release yesterday, the image is called asa825-59-k8.bin, and you may find it here:

Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release.

- https://software.cisco.com/download/release.html?mdfid=279916854&flowid=4373&softwareid=280775065&release=8.2.5%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

If this helped, could you please rate this! let me know if you have further questions on this!

Regards,

David Castro,

View solution in original post

benjamin.rickert11 · ‎02-26-2016

Hello,

referring to

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

Section Workarounds states that there are currently no workarounds.

Regards

David Castro F. · ‎02-27-2016

Hello Alfredo,

There not workarounds either ways, you may just patch the firewalls to the interim version 8.2(5)59, and it will stay in the same 8.2.X series, so your NAT or VPN configs wont change, either ways the best practice is to move to 9.1.7,

If this helped, could you please rate this! let me know if you have further questions on this!

Regards,

David Castro,

alfredobosca · ‎02-28-2016

Hi,

But the version 8.2(5.59) still not available on cisco website.

Thanks,

David Castro F. · ‎02-28-2016

Hello Alfredo,

Version 8.2(5)59 is available, I actually patched 3 clusters with that interim release yesterday, the image is called asa825-59-k8.bin, and you may find it here:

Cisco Adaptive Security Appliance Software for the ASA 5505, 5510, 5520, 5540, and ASA5550. Please read the Release Note prior to downloading this release.

- https://software.cisco.com/download/release.html?mdfid=279916854&flowid=4373&softwareid=280775065&release=8.2.5%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

If this helped, could you please rate this! let me know if you have further questions on this!

Regards,

David Castro,

alfredobosca · ‎03-03-2016

Hello,

I have upgrade from 8.2.5 to 8.2(5)59 and all interfaces has been put on shutdown. This behaviour is unusual...

David Castro F. · ‎03-03-2016

Hello Alfredo,

It seems like nothing was saved, since there is not IP address, security level defined.. did you save the configuration before going towards that version? this is really unlikely to happen, and I was going through internal documentation and this seems to be an issue that is completely undocumented, since this was tested in several sandbox environments, is that ASA good of memory? did you do a health check when this occurred? by any chance do you have any syslog server, so we can see what happened at that accurate time? is that the only issue that you are having so far?

Note: An interface will show as shutdown if there are not devices connected to them, so check cabling and that there are devices plugged in and turned on.

Please proceed to rate and mark as correct this post if it helped you! Keep me posted!

Thanks,

David Castro,

alfredobosca · ‎03-10-2016

Hello,

On the release note indicates that only affects to asa devices with HTTPS inspection. On this case the asa there isn't configured the HTTPS inspection. Should you upgrade the firmware?

Thanks a lot!

David Castro F. · ‎03-10-2016

according to the release notes of this last interim version, there wont be any other 8.2.X, so the recommended is to have the OS upgraded to 9.X, if this does not involve any memory implications, so for a best practice, you should look forward to upgrade, and make sure the 9.x wont wreck anything in place,

Please proceed to rate and mark as correct this post if it helped you! Keep me posted!

Thanks,

David Castro,

CVE-2016-1287 Vulnerability