cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9029
Views
0
Helpful
4
Replies

Sweet32 vulnerability workaround on Cisco ASA 5500

jackwabbit703
Level 1
Level 1

I failed PCI scan this month. Sweet32 vulnerability.

Testing SSL server 24.xxx.xxx.130 on port 443

Supported Server Cipher(s):
Accepted TLSv1 112 bits DES-CBC3-SHA

Currently I only have aes256 and 3des-sha1 active for ssl. If remove 3des-sha1, ASDM is not available.

Any work around? Thanks

4 Replies 4

dimayouN2
Level 1
Level 1

I did failed PCI scan with sweet32 bug

Here is what I did for my ASA 5516x to pass the PCI scan for the sweet32  ; as described on CVE the Sweet32 vulnerability is  on  TLS using small size block cipher of 64 bit size; so I have forced  the asa to use stronger Cipher with large block size on tls :

here is the command I ran to force it

(config)#ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

The client and the asa did negotiate on aes256 making anyconnect connection and the PCI scan passed.

For the ASDM you might want see if you can updated it on your ASA to get it working with this change.

Let me know if that helped

Thanks

Younes

Thanks for the no nonsense easy work around.

appreciate it.

Thanks

Keith

walker.matt
Level 1
Level 1

I found that my version of ASDM was using DHE-RSA-AES128-SHA if that was being offered.  I am running ASDM version 7.5(2)153.  

Removing the DES and 3DES choices but leaving one that is acceptable to ASDM clears the SWEET32 vulnerability.  I am sure there are other acceptable versions of ASDM.  Wireshark is your friend.

Farhan Mohamed
Cisco Employee
Cisco Employee

I found that my version of ASDM was using DHE-RSA-AES128-SHA if that was being offered.  I am running ASDM version 7.5(2)153.  

Removing the DES and 3DES choices but leaving one that is acceptable to ASDM clears the SWEET32 vulnerability.  I am sure there are other acceptable versions of ASDM.  Wireshark is your friend.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: