Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
5
Helpful
2
Replies

POODLE attack

Ramesh Babu
Level 1
Level 1

‎11-22-2016 03:14 AM - edited ‎03-12-2019 01:34 AM

Dear Team,

Our device we identified poodle attack vulnerable, hence kindly advice me to which ios i needs to upgrade ?

Currently Running : asa825-k8.bin | Adaptive Security Appliance Software Version 8.2(5) | ASA5510

Waiting for your reply.

Thanks & Regards,

Ramesh Babu.A.

Labels:
0 Helpful
2 Replies 2

JP Miranda Z
Cisco Employee
Cisco Employee

‎11-24-2016 05:07 PM

Hi Ramesh,

This links is definitely going to help you:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118780-technote-asa-00.html

Solution

Cisco has implemented these solutions to this problem:

  1. All versions of AnyConnect that previously supported (negotiated) SSLv3 have been deprecated and the versions available for download (both v3.1x and v4.0) will not negotiate SSLv3 so they are not susceptible to the issue.

  2. The ASA's default protocol setting has been changed from SSLv3 to TLSv1.0 so that as long as the incoming connection is from a client that supports TLS, that is what will be negotiated.

  3. The ASA can be manually configured to accept only specific SSL protocols with this command:

    ssl server-version

    As mentioned in solution 1, none of the currently supported AnyConnect clients negotiate SSLv3 anymore, so the client will fail to connect to any ASA configured with either of these commands: 
    ssl server-version sslv3
    ssl server-version sslv3-only

    However, for deployments that use the v3.0.x and v3.1.x AnyConnect versions that have been deprecated (which are all AnyConnect build versions PRE 3.1.05182), and in which SSLv3 negotiation is specifically used, the only solution is to eliminate the use of SSLv3 or consider a client upgrade.

  4. The actual fix for POODLE BITES (Cisco bug ID CSCus08101) will be integrated into the latest interim release versions only. You can upgrade to an ASA version that has the fix to solve the problem. The first available version on Cisco Connection Online (CCO) is Version 9.3(2.2). 

    The first fixed ASA software releases for this vulnerability are as follows:
    • 8.2 Train:   8.2.5.55
    • 8.4 Train:   8.4.7.26
    • 9.0 Train:   9.0.4.29
    • 9.1 Train:   9.1.6
    • 9.2 Train:   9.2.3.3
    • 9.3 Train:   9.3.2.2

TLSv1.2

  • The ASA supports TLSv1.2 as of software version 9.3(2).
  • AnyConnect Version 4.x clients all support TLSv1.2.

This means:

  • If you use Clientless WebVPN, then any ASA that runs this version of software or higher can negotiate TLSv1.2.

  • If you use the AnyConnect client, in order to use TLSv1.2, you will need to upgrade to Version 4.x clients.

Hope this info helps!!

Rate if helps you!! 

-JP-

Shao-Yu Chen
Level 1
Level 1
In response to JP Miranda Z

‎04-05-2018 06:30 AM

Thank you JP. This is very helpful.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card