Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3506
Views
0
Helpful
7
Replies

vulnerabilities associated with ASA 5520

Go to solution
mahesh18
Level 6
Level 6

‎08-12-2014 07:37 PM - edited ‎03-11-2019 09:37 PM

 

Hi everyone,

 

Scan results shows that ASA 5520 config for ipsec and anyconnect ikev2 has following vulnerability

Medium strength ciphers supported-----The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

 

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

 

ASA is not using SSL anyconnect.

SSL config on ASL

 

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5

ssl trust-point ASDM_TrustPoint0 outside

  anyconnect ssl dtls enable

  anyconnect ssl keepalive none

  anyconnect ssl rekey time none

  anyconnect ssl rekey method none

  anyconnect ssl compression deflate

vpn-tunnel-protocol ikev1 ssl-client

 

To fix this do i need to remove config --anyconnect ssl dtls enable??

Also currently FIPS is not enabled on ASA should i enable to get rid of scan results?

 

Regards

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2014 05:15 AM

With the following line in your config

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5

You are running ciphers that are weak. You should remove any rc4- and des-ciphers. If compatibility permits it, you could also remove 3des as a legacy algorithm.
 
Depending on your version you could also enable the ciphers "dhe-aes128-sha1" and "dhe-aes256-sha1".
 
DTLS has nothing to do with this.

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎08-13-2014 07:27 AM

yes, just set the new ciphers-string and you are ready. I didn't test that, but I would assume that any running connection with a removed cipher *could* get disconnected. But you don't want them anyway and when they reconnect they will pick one of the better ciphers.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-13-2014 01:57 AM

Hi Mahesh,

 

It seems that still no updates from cisco against this vulnerability. They will release the new version of OS after fixing this vulnerability. You can go through the below mentioned link in detail.

 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

 

Regards

Karthik

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2014 05:15 AM

With the following line in your config

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5

You are running ciphers that are weak. You should remove any rc4- and des-ciphers. If compatibility permits it, you could also remove 3des as a legacy algorithm.
 
Depending on your version you could also enable the ciphers "dhe-aes128-sha1" and "dhe-aes256-sha1".
 
DTLS has nothing to do with this.
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎08-13-2014 05:54 AM

 

Hi Karsten,

i checked my ASA i have below options

ssl encryption aes256-sha1 ?

configure mode commands/options:
  3des-sha1        Indicate use of 3des-sha1 for ssl encryption
  aes128-sha1      Indicate use of aes128-sha1 for ssl encryption
  des-sha1         Indicate use of des-sha1 for ssl encryption
  dhe-aes128-sha1  Indicate use of dhe-aes128-sha1 for ssl encryption
  dhe-aes256-sha1  Indicate use of dhe-aes256-sha1 for ssl encryption
  null-sha1        Indicate use of null-sha1 for ssl encryption (NOTE: Data is NOT encrypted if this cipher is chosen)
  rc4-md5          Indicate use of rc4-md5 for ssl encryption
  rc4-sha1         Indicate use of rc4-sha1 for ssl encryption

so below Config will take care of all the weak ciphers?


5520(config)# ssl encryption aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1

and i can do this on fly as it should not cause any outage.?

I can simply remove current ssl encryption config and replace it with above config?

Best Regards

MAhesh

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎08-13-2014 07:27 AM

yes, just set the new ciphers-string and you are ready. I didn't test that, but I would assume that any running connection with a removed cipher *could* get disconnected. But you don't want them anyway and when they reconnect they will pick one of the better ciphers.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎08-13-2014 07:35 PM

 

Hi Karsten,

 

Many thanks for answering my post.

It was pretty hard for me to find answer for this over the internet.

Best Regards

Mahesh

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mahesh18

‎08-13-2014 11:20 PM

Another config that I forgot, but that also could be found by an assessment, is the accepted SSL/TLS-version of the ASA. This is the default:

asa# sh run all ssl
ssl server-version any

Here you should change the setting to only accept TLSv1:

ssl server-version tlsv1-only

At least on up-to date operating systems I haven't seen any compatibility-issues with that.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Karsten Iwen

‎08-14-2014 05:07 PM

 

Thanks Karsten for more update on this.

Best Regards

Mahesh

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card