I did failed PCI scan with

jackwabbit703 · ‎10-25-2016

I failed PCI scan this month. Sweet32 vulnerability.

Testing SSL server 24.xxx.xxx.130 on port 443

Supported Server Cipher(s):
Accepted TLSv1 112 bits DES-CBC3-SHA

Currently I only have aes256 and 3des-sha1 active for ssl. If remove 3des-sha1, ASDM is not available.

Any work around? Thanks

dimayouN2 · ‎11-02-2016

I did failed PCI scan with sweet32 bug

Here is what I did for my ASA 5516x to pass the PCI scan for the sweet32 ; as described on CVE the Sweet32 vulnerability is on TLS using small size block cipher of 64 bit size; so I have forced the asa to use stronger Cipher with large block size on tls :

here is the command I ran to force it

(config)#ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

The client and the asa did negotiate on aes256 making anyconnect connection and the PCI scan passed.

For the ASDM you might want see if you can updated it on your ASA to get it working with this change.

Let me know if that helped

Thanks

Younes

keithtuttle · ‎05-20-2017

Thanks for the no nonsense easy work around.

appreciate it.

Thanks

Keith

walker.matt · ‎01-09-2017

I found that my version of ASDM was using DHE-RSA-AES128-SHA if that was being offered. I am running ASDM version 7.5(2)153.

Removing the DES and 3DES choices but leaving one that is acceptable to ASDM clears the SWEET32 vulnerability. I am sure there are other acceptable versions of ASDM. Wireshark is your friend.

Farhan Mohamed · ‎01-11-2017

I found that my version of ASDM was using DHE-RSA-AES128-SHA if that was being offered. I am running ASDM version 7.5(2)153.

Removing the DES and 3DES choices but leaving one that is acceptable to ASDM clears the SWEET32 vulnerability. I am sure there are other acceptable versions of ASDM. Wireshark is your friend.

Sweet32 vulnerability workaround on Cisco ASA 5500