Hi,

pitchaimani.kamal · ‎05-24-2016

Hi Guys,

It seems there is a openssl Vulnerability for ASA. How to patch it, for ASA version 9.4.1 and is there any software update for it.

Regards,

G.Pitchaimani

Rishabh Seth · ‎05-24-2016

Hi,

Could you please share the CVE id of the vulnerability which you are trying to patch.

Thanks,

RS

pitchaimani.kamal · ‎05-24-2016

Hi,

The CVE id for 6 vulnerabilities listed below,

First,four of them may cause memory corruption or excessive memory usage, 2nd one, could allow a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server supports AES-NI, and, 3rd one, is specific to a product performing an operation with Extended Binary Coded Decimal Interchange Code (EBCDIC) encoding.

CVE-2016-2105

CVE-2016-2106

CVE-2016-2107

CVE-2016-2108

CVE-2016-2109

CVE-2016-2176

Kindly, tell me how to patch it in the cisco ASA 5585 with the OS of 9.4.1

Regards,

G.Pitchaimani

Aditya Ganjoo · ‎05-24-2016

Hi,

Cisco ASA running release 9.0 or later may be affected by the following vulnerabilities.

Exposure is not configuration dependent.

Padding oracle in AES-NI CBC MAC check CVE-2016-2107

Memory corruption in the ASN.1 encoder CVE-2016-2108

ASN.1 BIO excessive memory allocation CVE-2016-2109

The ASA is not affected by the following vulnerabilities:

EVP_EncodeUpdate overflow CVE-2016-2105

EVP_EncryptUpdate overflow CVE-2016-2106

EBCDIC overread CVE-2016-2176

So while the ASA is not affected by the last 3, it may be affected by the first 3. There is no fixed version available yet but its being tracked via a Sev2 defect, so we should have the fix soon:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz52474/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎05-26-2016

Hi, Ok. So, when shall i expect the updates for these vulnerabilities Regards, G.Pitchaimani

Aditya Ganjoo · ‎05-26-2016

Hi,

This being a Severity 2 bug expect a fix soon on this.

Apologies but I do not have an exact ETA for this.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

pitchaimani.kamal · ‎06-01-2016

Hi,

Is there any patch came for these vulnerabilities.

Regards,

G.Pitchaimani

pitchaimani.kamal · ‎06-13-2016

Hi,

Is there any update on OpenSSL vulnerabilities. Is there any patch available for OpenSSL Vulnerabilities.

Regards,

G.Pitchaimani

Aditya Ganjoo · ‎06-13-2016

Hi,

The bug has been resolved and the fixed versions are listed in the bug details.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz52474/?reffering_site=dumpcr

You can upgrade to the fixed versions to overcome this bug impact.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

firewall