Marvin,

Thank you for your quick and insightful response.

I agree with your recommendations.

Nathan

Hello,

are these versions affected?

asa                         9.3(1)    
asa                         9.1(3)    
fwsm                      4.1(15)

I can't say for sure as those software versions aren't specifically named in the BugID for this vulnerability.

In any case, the workaround to mitigate it is simple enough so you you can just go ahead and deploy:

ssl client-version tlsv1-only
ssl server-version tlsv1

There's no adverse impact to any other services on the system.

The work around happens to not be applicable for the version I'm running.  The vulnerability could affect an ASA if "A block cipher in CBC mode is one of the transform sets being offered".  

How do I know if a block cipher in CBC mode is one of the transform sets I have configured?  I cannot find any further details from Cisco regarding this.

Cheers,

Jnomm

jnommensen,

What version are you running on your ASA?

ssl client-version and ssl server-version were both introduced in 7.0(1)  quite some time ago...

The way I understand it... 

If your ASA acts as an https server for downloading AnyConnnect software to VPN Users, or if you use clientless VPN or ASDM   -and-  if you have ssl server-version any then you are at risk due to the clients browser negotiating down to SSLv3. 

Hope this helps. 

Tim

Hello. I have these 2  commands running

ssl server-version tlsv1-only
ssl client-version tlsv1-only

But when I run this tool https://www.ssllabs.com the vulnerability still there...

Cisco ASA 5520 9.0(1)

Thanks

The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.

Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.

Finally, there is no indication of when a fixed release might be available. Can you comment?

Does anyone know if the CISCO ASA 9.1(5) is affected?.  Device Type: 5525.

Where do I get this information?.

Thank you.

Yes, it is.

Please refer t the link I provided earlier and, in that page, under affected products you can see a follow-on link to the actual BugID for the ASA (cisco.com login required).

Are you sure?  I see nothing that indicates v9.1(5) is vulnerable, only v9.1(1).  Some clarity would be nice on this topic as earlier in this thread you agree that because 9.1(3) isn't mentioned you can't say for sure if it's vulnerable.  Then to the question of v9.1(5) you agree it is..

Cisco has updated the BugID since my original posting to indicate the ASA vulnerability applies to " 9.1.2 and later".

Reference. 

Yep, I had opened a ticket last night specifically mentioning the advisory and received confirmation.  Glad they updated the article! :)

"Yes, the ASA version 9.1.5 is vulnerable. The fixed release is ASA version 9.2(2.103) and 9.3(1.1). So any versions before these versions are vulnerable."