cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12653
Views
4
Helpful
13
Replies

POODLE vulnerability - Are ASA 5500's and ASA SM unaffected?

Nathan Kim
Level 1
Level 1

ASA evaluation of SSLv3 POODLE vulnerability at https://tools.cisco.com/bugsearch/bug/CSCur23709 only mentions ASA 5500-X but not ASA 55xx appliances and ASA SM. Does this mean ASA 55xx appliances and ASA SM are not affected by the vulnerability?

13 Replies 13

Marvin Rhoads
Hall of Fame
Hall of Fame

They use the term "Cisco ASA 5500-X Series Next-Generation Firewalls" in a generic sense. Given that the known affected versions include ASA 8.2, 8.3 and 8.4 software (which run on the legacy ASA 5500s), then I'd say yes it includes the ASA 5500 (non-X) series.

The actual security vulnerability announcement confirms that the vulnerability applies to the software - not necessarily the hardware platform per se.

Given that the ASA Service Module code base is based on the affected software (even though they are silent re 8.5 which you could be running on the ASA SM) I'd say it would be a good idea to mitigate that platform as well if you have it.

Marvin,

Thank you for your quick and insightful response.

I agree with your recommendations.

Nathan

 

Hello,

are these versions affected?

 

asa                         9.3(1)    
asa                         9.1(3)    
fwsm                      4.1(15)

I can't say for sure as those software versions aren't specifically named in the BugID for this vulnerability.

In any case, the workaround to mitigate it is simple enough so you you can just go ahead and deploy:

ssl client-version tlsv1-only
ssl server-version tlsv1

There's no adverse impact to any other services on the system.

The work around happens to not be applicable for the version I'm running.  The vulnerability could affect an ASA if "A block cipher in CBC mode is one of the transform sets being offered".  

How do I know if a block cipher in CBC mode is one of the transform sets I have configured?  I cannot find any further details from Cisco regarding this.

 

Cheers,

Jnomm

jnommensen,

What version are you running on your ASA?

ssl client-version and ssl server-version were both introduced in 7.0(1)  quite some time ago...

The way I understand it... 

If your ASA acts as an https server for downloading AnyConnnect software to VPN Users, or if you use clientless VPN or ASDM   -and-  if you have ssl server-version any then you are at risk due to the clients browser negotiating down to SSLv3. 

Hope this helps. 


Tim

 

 

Hello. I have these 2  commands running

ssl server-version tlsv1-only
ssl client-version tlsv1-only

 

But when I run this tool https://www.ssllabs.com the vulnerability still there...

Cisco ASA 5520 9.0(1)

 

Thanks

The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.

Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.

Finally, there is no indication of when a fixed release might be available. Can you comment?

Does anyone know if the CISCO ASA 9.1(5) is affected?.  Device Type: 5525.

Where do I get this information?.

 

Thank you.

Yes, it is.

Please refer t the link I provided earlier and, in that page, under affected products you can see a follow-on link to the actual BugID for the ASA (cisco.com login required).

Are you sure?  I see nothing that indicates v9.1(5) is vulnerable, only v9.1(1).  Some clarity would be nice on this topic as earlier in this thread you agree that because 9.1(3) isn't mentioned you can't say for sure if it's vulnerable.  Then to the question of v9.1(5) you agree it is..

Cisco has updated the BugID since my original posting to indicate the ASA vulnerability applies to " 9.1.2 and later".

Reference

Yep, I had opened a ticket last night specifically mentioning the advisory and received confirmation.  Glad they updated the article! :)

"Yes, the ASA version 9.1.5 is vulnerable. The fixed release is ASA version 9.2(2.103) and 9.3(1.1). So any versions before these versions are vulnerable."

Review Cisco Networking for a $25 gift card