Vulnerability Scanning Mitigation needed

Poo17 · ‎05-10-2021

Hello,

Can anyone please tell me the solution for mitigating the cisco ASA 5525 vulnerabilities?

FACTOR NAME

ISSUE TYPE TITLE

ISSUE TYPE CODE

Network Security	Certificate Without Revocation Control	tlscert_no_revocation
Network Security	Certificate Without Revocation Control	tlscert_no_revocation
Network Security	Certificate Lifetime Is Longer Than Best Practices	tlscert_excessive_expiration
Network Security	Certificate Lifetime Is Longer Than Best Practices	tlscert_excessive_expiration
Network Security	Certificate Signed With Weak Algorithm	tlscert_weak_signature
Network Security	Certificate Signed With Weak Algorithm	tlscert_weak_signature

Marvin Rhoads · ‎05-10-2021

If the certificate in question is the identity certificate used by SSL VPN clients, then replace it with a proper certificate issued by a public CA.

Poo17 · ‎05-10-2021

Hi Marvin,

Thank you for your reply. I am trying to decommission the SSL VPN because that service is not in use anymore. How can I do that?

Thank you!

Marvin Rhoads · ‎05-11-2021

If you want to shut it down, you can just remove the service from the outside interface:

conf t
webvpn
disable outside <assuming that's your public interface name>
end
wr mem

There is more involved to thoroughly clean up the configuration but the first step will remove the certificate from being exposed to the vulnerability scanning.