Re: Do i need to patch my asa ?

toxqsd · ‎04-10-2018

Hello,

I have a cisco asa 5525 and I found out there is a vulnerability ( cisco-sa-20180129-asa1 ) and I dont know if my version is vulnerable (my version is 9.6.3) . According to this site ( https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1#fixed ) I think it is vulnerable but I'm not sure. Can you guys please help me ? Thanks a lot.

Rahul Govindan · ‎04-10-2018

9.6.3 is an affected release. But the vulnerability can only be exploited if you have one of the features enabled as documented in the vulnerability documentation:

Feature	Vulnerable Configuration
Adaptive Security Device Manager (ASDM)¹	http server enable <port> http <remote_ip_address> <remote_subnet_mask> <interface_name>
AnyConnect IKEv2 Remote Access (with client services)	crypto ikev2 enable <interface_name> client-services port <port #> webvpn anyconnect enable
AnyConnect IKEv2 Remote Access (without client services)	crypto ikev2 enable <interface_name> webvpn anyconnect enable
AnyConnect SSL VPN	webvpn enable <interface_name>
Cisco Security Manager²	http server enable <port> http <remote_ip_address> <remote_subnet_mask> <interface_name>
Clientless SSL VPN	webvpn enable <interface_name>
Cut-Through Proxy (Not vulnerable unless used in conjunction with other vulnerable features on the same port)	aaa authentication listener <interface_name> port <number>
Local Certificate Authority (CA)	crypto ca server no shutdown
Mobile Device Manager (MDM) Proxy³	mdm-proxy enable <interface_name>
Mobile User Security (MUS)	webvpn mus password <password> mus server enable port <port #> mus <address> <mask> <interface_name>
Proxy Bypass	webvpn proxy-bypass
REST API⁴	rest-api image disk0:/<image name> rest-api agent
Security Assertion Markup Language (SAML) Single Sign-On (SSO)⁵	N/A

An upgrade to 9.6.4.3 is recommended if you any of the above features enabled.