Solved: Firepower 9300 Vulnerability ArcaneDoor - ASA Update error

joandwifi · ‎05-14-2024

Hello,
We were impacted by the vulnerability https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h, and following recommendations from the TAC, I had to update my pair of ASAs from version 9.14.3.18 to version 9.14.4.24. We followed all the update procedures, but when I went to access the "connect module 1 console", my asa did not load the vpn settings, and entered a "module" similar to FXOS. I contacted Cisco on the same ticket, but they are still taking a long time to give me feedback, has anyone had this problem?

Could you share some process for me to recover the CLI of my ASA?
Everything in the GUI is functional, with the status ok, however, in the CLI, I can no longer access the ASA settings:

NOTE: We checked version compatibility, however, the image I was recommended to install was the Cisco Adaptive Security Appliance CSP package for the Cisco Firepower Series.

cisco-asa.9.14.4.24.SPA.csp

https://software.cisco.com/download/home/286287252/type/280775065/release/9.14.4%20Interim

tvotna · ‎05-15-2024

In this case TAC would say the following: "if it doesn't work, provide corresponding output, otherwise this has never happened".

So far I don't see how you tried "connect module 1 console" and _then_ "connect asa" from the "Firepower-module1>" prompt.

View solution in original post

tvotna · ‎05-15-2024

Simply try "connect asa" from this CLI (which is a module CLI).

joandwifi · ‎05-15-2024

Hello @Marvin Rhoads and @tvotna

Thank you for the quick response, but unfortunately the command does not work,

The ASA CLI address is local, it is not remotely accessible via the VPN (firewall rules).

SE01#
SE01# connect
adapter Mezzanine Adapter
cimc Cisco Integrated Management Controller
fxos Connect to FXOS CLI
local-mgmt Connect to Local Management CLI
module Security Module Console

SE01# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:
Close Network Connection to Exit

Firepower-module1>
Firepower-module1>en
No such command
en
Firepower-module1>config
coredump disk maxRestart memory process restartCounters restartTimeInterval turboBoost
Firepower-module1>show
cgroups coredump cpu cpuinfo disk diskusage faults hosts interfaces maxRestart memory memoryusage netstat ntp platform process processes route services slot tech-support time turboBoost uptime users version vnicmap
Firepower-module1>show tech-support
Version information
================================================================================
Linux Firepower-module1 4.18.45-yocto-standard #1 SMP Sat Oct 15 05:19:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Image type : Release
Key Version : A

Firepower Extensible Operating System Platform 2.12(0.450) (1)

Cisco Firepower Extensible Operating System (FX-OS) Software.
TAC support: http://www.cisco.com/tac
Copyright (c) 2009-2016, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are owned by other third parties and

tvotna · ‎05-15-2024

In this case TAC would say the following: "if it doesn't work, provide corresponding output, otherwise this has never happened".

So far I don't see how you tried "connect module 1 console" and _then_ "connect asa" from the "Firepower-module1>" prompt.

joandwifi · ‎05-15-2024

Hello @tvotna and @Marvin Rhoads

I was wrong, and I was wrong,
Thank you for insisting on correcting me. In fact, the process needs to be executed twice, and I despaired when it didn't work directly.
After I ran "connect asa", I was able to access the Firewall settings.
Cisco hasn't responded to me yet, but thank you very much;

SEG01#
SEG01# connect module 1 console
Telnet escape character is '~'.
Trying 127.5.1.1...
Connected to 127.5.1.1.
Escape character is '~'.

CISCO Serial Over LAN:
Close Network Connection to Exit

Firepower-module1>connect asa
Connecting to asa(SEG01-ASA) console... hit Ctrl + A + D to return to bootCLI

WARNING: DH group 5 is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: DES is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: DH group 2 is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: DES is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: DES is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: DH group 2 is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: interface Ethernet1/1 security level is 0.
WARNING: Configure rate limit on syslog messages to avoid impact on other operations in case of high syslog rate
WARNING: HMAC-MD5 is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: HMAC-SHA1-96 is considered insecure. This option is deprecated and will be removed in a later version.
WARNING: HMAC-MD5-96 is considered insecure. This option is deprecated and will be removed in a later version.
End configuration replication from mate.
WARNING: Pool (10.) overlap with existing pool.
WARNING: Pool (10.) overlap with existing pool.
WARNING: Pool (10.) overlap with existing pool.
WARNING: Pool (10.) overlap with existing pool.

Switching to Active
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate
enable
Password:
Invalid password
Password: ******************************************************
Invalid password
Password:
Invalid password
Access denied.
SEG01-ASA/pri/act> en
Password:
Invalid password
Password:
Invalid password
Password:
Invalid password
Access denied.
SEG01-ASA/pri/act> en
Password: ********
SEG01-ASA/pri/act# sh run
: Saved

:
: Serial Number: FLM23
: Hardware: FPR9K-SM-44, 228786 MB RAM, CPU Xeon E5 series 2200 MHz, 2 CPUs (88 cores)
:
ASA Version 9.14(4)24 <system>
!
hostname SEG01-ASA
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4

Marvin Rhoads · ‎05-15-2024

As @tvotna mentioned, connecting the the ASA cli from the fxos cli is a two step process. First you connect to the security module and then to the logical device (ASA in your case) running on the security module.

The ASA should also have a separate physical interface assigned to it for management. You should be able to log into it directly using the ASA management address.