cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1160
Views
10
Helpful
3
Replies

CVE-2018-0101 vulnerability

I am basically coming here to see if anyone else, not a very big expert in Cisco, has found something about this CVE-2018-0101 vulnerability that actually helps them out, instead of ending up at a page like this: https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

 

I have two Cisco ASA 5510's connected via persistent IPSEC tunnel (east coast, west coast). A while ago, we wanted to upgrade the ASA version but given the crazy process to do so (Yeaaaaaaaah, just quickly read through this and you're all set! HA. Ha. ha. https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050). Needless to say, if you're not a Cisco or command line guru, it is anything but daunting.

 

One ASA is version 8.2(5) and the other is 8.2(2). Can't we just disable something?? or turn something off, rather than purchase physical RAM (required to upgrade to ASA 9 if your router only has 256 MB), then upgrade our router twice (since it needs incremental upgrades), and THEN apply the Cisco patch?

 

With all the reading I've done, I am surprised to not find something that shows how to run some commands to either confirm or deny vulnerability, and if one doesn't want to completely revamp their routers, to ****JUST**** turn off the "vulnerable" part(s). Perhaps I am not seeing the bigger picture here; if so, please let me know (kindly).

 

We only have the persistent IKE IPsec tunnel to the other ASA, and end users also connect with Cisco VPN Client and/or Shrewsoft VPN with .PCF config files. There is also a IKE IPsec tunnel to an Amazon AWS instance.

 

3 REPLIES 3
#Mat
Frequent Contributor

 

Hi, you can check with this command:

 

show asp table socket | include SSL|DTLS

 

All information is in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1 and  https://blogs.cisco.com/security/cve-2018-0101

 

There is not a workaround for all vulnerable configuration. You should disable them or You will need to upgrade ram and version.

 

Regards.-

.
Karsten Iwen
VIP Mentor

The vulnerable part is the ASA with this old software. You can just turn that off.

Ok, that is not what you want to hear, but it's the reality: A firewall is a complex system that needs ongoing professional maintenance. If you can't do it alone, you should get someone to do it for you. There are Cisco partners and consultants out there who can do the job.

Not taking care of that leaves your network and your business at risk.

Thanks for the replies everyone. This actually makes it much easier to do what I wanted anyway -- swap them out with some Meraki MX appliances. I do understand the complexity of routers/firewall, but man, have we come a long way in the way of "maintenance", which is why I want to go the Meraki route. I do agree, the ASA's need to go away.... since, just to connect to and manage them, I have to break out an old laptop that still has the **working** ASDM software loaded on it, because to this day there is not an EXPLICIT instruction set for getting ASDM to work flawlessly the first time. Java version this, java version that, nightmares over and over.... much better to just log into a website!

Create
Recognize Your Peers
Content for Community-Ad