Solved: Re: Help on ASAv with cisco-sa-20180129-asa1 vulnerability

BuHeTy · ‎01-03-2024

Hi All and healthy new 2024 year!

Last week our external Qualys Scanner reported vulnerability classified as 316187 - Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service (cisco-sa-20180129-asa1) (level 5 criticality) was detected We had scan cisco-sa-20180129-asa1

Our version of ASAv is:

Cisco Adaptive Security Appliance Software Version 9.19(1)
SSP Operating System Version 2.13(0.198)
Device Manager Version 7.19(1)

Compiled on Mon 28-Nov-22 15:50 GMT by builders
System image file is "disk0:/asa9-19-1-smp-k8.bin"

I've done a research and didn't find someone mentioning ASA Virtual Appliances and this vulnerability.

I also didn't find our version listed as non-bug free

We are using it as remote access SSL VPN.

Any advice and comment will be great.

Thanks!

Rob Ingram · ‎01-03-2024

@BuHeTy the document below states this vulnerability has been fixed in versions prior to 9.9. Version 9.19 did not exist when this document was written in 2018 , which is why any version since 9.10 is not explictly referenced. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

A general recommendation would be to use the ASA hardening guide to ensure your ASA is secure. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html#anc15

View solution in original post

Ruben Cocheno · ‎01-03-2024

@BuHeTy

Your current release is not vulnerable to this as i had this before, your vulnerability Management is likely to be outdated.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

View solution in original post

Rob Ingram · ‎01-03-2024

@BuHeTy the document below states this vulnerability has been fixed in versions prior to 9.9. Version 9.19 did not exist when this document was written in 2018 , which is why any version since 9.10 is not explictly referenced. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

A general recommendation would be to use the ASA hardening guide to ensure your ASA is secure. https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html#anc15

BuHeTy · ‎01-03-2024

Hi,

So could the scan result be considered as false positive?

Regarding hardening we have implemented most of these requirements.

Rob Ingram · ‎01-03-2024

@BuHeTy I would say so as you are running one of the latest ASA versions. It depends on what the scanner was scanning for.

If you provide a sanitised copy of your config we can review and make suggestions for improvements.

Marius Gunnerud · ‎01-03-2024

I would consider this as a false positive. Is your Qualys up-to-date on its vulnerability database signatures?

--
Please remember to select a correct answer and rate helpful posts

BuHeTy · ‎01-04-2024

Hi,

The Qualys scanner is not under our jurisdiction and belongs to an external company that does an audit.

I've written them but they don't reply, assume they don't care and we get level 5 criticality which they don't like

I've done Qualys scann on free tier account and got another results:

Which is TLS (DTLS) related ciph suite vuln, not the mentioned in their report.

Ruben Cocheno · ‎01-03-2024

@BuHeTy

Your current release is not vulnerable to this as i had this before, your vulnerability Management is likely to be outdated.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/