cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2193
Views
0
Helpful
4
Replies

Old Cisco ASA 5505 fix for CVE-2018-0101

Atilgod
Level 1
Level 1

A short scan was done on the basis of the CVE 2018-01010. An old cisco ASA 5505 has emerged.

This has not been updated for a while. Its currently running for more than four years.

Currently running on IOS 8.4 (4) and ASDM 6.4 (9)

We are not entirely sure of the upgrade path.

As far as we have found:
IOS 8.4 (4) to 9.0 (4) to 9.1.7 (151)

However, we are not sure if IOS 9.1.7 (151) is the highest version of the fix for CVE 2018-01010?

Is this correct IOS version or is there a newer (intermidiate) version for this issue?

4 Replies 4

yogdhanu
Cisco Employee
Cisco Employee

Hi Ame,

This link would be helpful.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

It has all the software releases which has fix.

You can also read the blog here.

https://blogs.cisco.com/security/cve-2018-0101

Hope it helps,

Yogesh

Mark DeLong
Level 4
Level 4

Hey Arne,

You're on the right path. The classic series of ASA's (5500 rather than 5500-X) can't be upgraded past 9.1.7 as that is the last code supported on these models. Also, the 9.1.7 train is the only one Cisco is currently maintaining for these older ASA's. Cisco is only maintaining 9.1.7 to add interim release's to fix vulnerabilities. (An interim release is denoted by the fourth number place in the version. So 9.1.7.5 would be 9.1.7 Interim 5. Sometimes it is shown as 9.1.(7)5. Same thing.) So for any classic ASA you will have to upgrade to a 9.1.7.X release to get a fix for any new vulnerabilities.

That said, as seen in the link to the vulnerability below, 9.1.7 interim 23 (or 9.1.7.23) is the appropriate fixed code for this vulnerability. It is also the newest interim available. I have not seen an interim 150 (or 9.1.7.150) released. I'm not sure where you saw that mentioned.

Your upgrade path as per the release notes should be:

8.4.4 to 9.0.4 to 9.1.7

That said, if it was my ASA, I would be tempted to just take a backup of the cofig and try to upgrade right to 9.1.7. And just rollback if I had any issues. To my knowledge there are not many syntax changes between these versions (8.3 was where most major changes in config syntax occurred in the classic ASA code as that is where they changed the NAT system and added Real IP).

But if you want to go the safe path and follow the release note path that is fine as well.

Due to this vulnerability, I have been upgrading a lot of classic and next gen ASA's. On the classics I have done 8.4 and 9.0 to 9.1.7.23 and haven't had any issues except for a really old 5505 dying on reboot but that was a hardware failure.

I put the ASA upgrade guide below to help you out.

Oh and while your at it you will need to upgrade your ASDM image to 7.5.2 or higher to support 9.1.7.X (as seen in the ASA compatibility guide I linked below). As they are currently maintaining this train you should be able to go to the newest ASDM if you want (7.9.X). Cisco doesn't make software recommendations for ASDM. Instead they just recommend going to the newest. But anywhere between 7.5.2 to 7.9.X should work for you. If the newest ones don't work just back track a little. Could be possible that the newest doesn't work as 5505's are legacy.

Release notes, Upgrade Path: Release Notes for the Cisco ASA Series, 9.1(x) - Cisco

Vulnerability, Fixed Software, Fixed Releases section: Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

ASA Upgrade Guide: Cisco ASA Upgrade Guide - Upgrade the ASA Appliance or ASAv [Cisco ASA 5500-X Series Firewalls] - Cisco

ASA Compatibility Guide, Check 9.1 to 9.2 ASA and ASDM Compatibility Section: Cisco ASA Compatibility - Cisco

Thanks!

Mark

Atilgod
Level 1
Level 1

Yogesh and Mark, thanks this will help us a lot.

It helped us to finalize our change plan.


Thanks,

Arne

Thanks, Arne! Make sure to pick "Correct" and "Helpful" answers. It helps those of us who live for fake internet points. Also, it helps users that are searching for answers find the right ones. And it lets those of us who answer questions know this one is already answered.

Thanks!

Mark

Review Cisco Networking for a $25 gift card