03-06-2018 01:39 PM - edited 02-21-2020 07:28 AM
I am basically coming here to see if anyone else, not a very big expert in Cisco, has found something about this CVE-2018-0101 vulnerability that actually helps them out, instead of ending up at a page like this: https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050
I have two Cisco ASA 5510's connected via persistent IPSEC tunnel (east coast, west coast). A while ago, we wanted to upgrade the ASA version but given the crazy process to do so (Yeaaaaaaaah, just quickly read through this and you're all set! HA. Ha. ha. https://supportforums.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050). Needless to say, if you're not a Cisco or command line guru, it is anything but daunting.
One ASA is version 8.2(5) and the other is 8.2(2). Can't we just disable something?? or turn something off, rather than purchase physical RAM (required to upgrade to ASA 9 if your router only has 256 MB), then upgrade our router twice (since it needs incremental upgrades), and THEN apply the Cisco patch?
With all the reading I've done, I am surprised to not find something that shows how to run some commands to either confirm or deny vulnerability, and if one doesn't want to completely revamp their routers, to ****JUST**** turn off the "vulnerable" part(s). Perhaps I am not seeing the bigger picture here; if so, please let me know (kindly).
We only have the persistent IKE IPsec tunnel to the other ASA, and end users also connect with Cisco VPN Client and/or Shrewsoft VPN with .PCF config files. There is also a IKE IPsec tunnel to an Amazon AWS instance.
03-06-2018 06:59 PM
Hi, you can check with this command:
show asp table socket | include SSL|DTLS
All information is in https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1 and https://blogs.cisco.com/security/cve-2018-0101
There is not a workaround for all vulnerable configuration. You should disable them or You will need to upgrade ram and version.
Regards.-
03-07-2018 02:52 AM
The vulnerable part is the ASA with this old software. You can just turn that off.
Ok, that is not what you want to hear, but it's the reality: A firewall is a complex system that needs ongoing professional maintenance. If you can't do it alone, you should get someone to do it for you. There are Cisco partners and consultants out there who can do the job.
Not taking care of that leaves your network and your business at risk.
03-07-2018 01:21 PM - edited 03-07-2018 01:22 PM
Thanks for the replies everyone. This actually makes it much easier to do what I wanted anyway -- swap them out with some Meraki MX appliances. I do understand the complexity of routers/firewall, but man, have we come a long way in the way of "maintenance", which is why I want to go the Meraki route. I do agree, the ASA's need to go away.... since, just to connect to and manage them, I have to break out an old laptop that still has the **working** ASDM software loaded on it, because to this day there is not an EXPLICIT instruction set for getting ASDM to work flawlessly the first time. Java version this, java version that, nightmares over and over.... much better to just log into a website!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide