03-22-2017 11:58 PM - edited 03-12-2019 02:06 AM
after scan finished for Vulnerability Management Report , i found those notes :
Cisco Catalyst / Cisco PIX 7.x / Cisco ASA Firewall / Juniper Networks Application Acceleration Platform DX |
38498 |
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode |
2 |
500 |
udp |
CVE-2002-1623 |
4.3 |
yes |
|
Cisco IOS 11-15 |
42395 |
Encrypted Management Interfaces Accessible On Cisco Device |
2 |
5.2 |
yes |
to be honest am not that good with Cisco , can you help me with this :) ?
Solved! Go to Solution.
03-23-2017 12:35 AM
The vulnerability listing sounds like you are using an old EZVPN setup on your ASA. That's very old technology and as long as you keep using that you will have that vulnerability.
You should migrate to the current SSL VPN (AnyConnect type) to mitigate those vulnerabilities.
If you aren't using EZVPN, it could be a false positive as most site-site VPNs use Main Mode vs. Aggressive Mode. An external scan is not able to tell which is in use, only that the ASA is listening to certain ucp ports (udp/500 in this case) and they infer that you are potentially vulnerable as a result.
03-23-2017 12:35 AM
The vulnerability listing sounds like you are using an old EZVPN setup on your ASA. That's very old technology and as long as you keep using that you will have that vulnerability.
You should migrate to the current SSL VPN (AnyConnect type) to mitigate those vulnerabilities.
If you aren't using EZVPN, it could be a false positive as most site-site VPNs use Main Mode vs. Aggressive Mode. An external scan is not able to tell which is in use, only that the ASA is listening to certain ucp ports (udp/500 in this case) and they infer that you are potentially vulnerable as a result.
03-23-2017 01:46 AM
thank you for this perfect answer :) ,, in fact am using ASA 5100 it's an old one
and allow me this silly question : how i check if VPN is EZVPN ?? :) :)
and one more thing : what about second point : Encrypted Management Interfaces Accessible On Cisco Device?
really , really thank you
03-23-2017 02:49 AM
EZ VPN configuration will have a line like "nem enable" under the group-policy ("show run group-policy") if the ASA is a server. If it acts as a client, it will have a configuration lines with "vpnclient" (show run vpnclient). In either of those cases, you have to use Aggresive Mode which is considered vulnerable.
If it has neither then it's just a normal IPsec headend and you can disable Aggresive Mode or AM (though it may still show as a false positive since the scan is only probing for ports and not actually negotiating a VPN and seeing that AM is disabled).
the scond vulenrability is usually related to the first. However since they did not give you a specific CVSS to confirm it's a bit ambiguous.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide