cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5873
Views
0
Helpful
5
Comments
Tommy Alexander
Cisco Employee
Cisco Employee

With the SSL inline renegotiation vulnerability, MS has published two security updates.

http://support.microsoft.com/kb/977377

http://support.microsoft.com/kb/980436 - This is installed automatically with windows update.

This is explained in more detail in following security bulletin from Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx

This will disable ssl re-negotiations and also add a  TLS Renego extension in the client hello, which SSL servers like VPN 3000 concentrator will fail SSL handshake.

Symptoms

1) The SSLVPN client (not anyconnect client) will fail to connect after Security update.

    It affects both connection to the ASA , the Cisco VPN 3000 concentrator, AND IOS routers.

    ASA users can upgrade from SSL vpn client to Anyconnect and that should resolve this issue.

2) Webvpn clientless session from a browser will fail to a ASA  headend running 8.2.1 to 8.2.1.15 and client certificate authenticate is  enabled, with above security updates  installed

3) Anyconnect weblaunch will also fail due clientless webvpn failing.

Workarounds

1) Upgrade client to Anyconnect client if using a ASA as the headend device. VPN 3000 concentrator does not support Anyconnect. IOS headend can be upgraded to 12.4(15)T or later which supports Anyconnect.

2)  Per http://support.microsoft.com/kb/980436, you can change add this DWORD value to the windows registry and change it to a non-zero value to enable the the SSLVPN client (SVC 1.x) functionality:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL


DWORD: UseScsvForTls  Value:  non-zero (I used 1)  Effect:  Client sends SCSV for TLS protocol

This just disables using the TLS Renego extension in the SSL hello, and this is a workaround for the 3000 concentrator as it does not support the anyconnect product.

3) For the  Cisco sslvpn client, remove the MS security update above. This should be done at your own risk and machine will be vulnerable as

per security bulletin.

Resolution

1) For clientless and weblaunch of anyconnect not working when  using client side certificates in 8.2.x versions, upgrade to latest  8.2.x version.  The version should be 8.2.1.16 or later, such as 8.2.2 or 8.2.3. This  has the fix for bug CSCtd00697  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd00697

2) For VPN 3000 concentrator and ssl vpn client, as the product is end of software maintenance, the only option is to upgrade to a headend that supports anyconnect like ASA or IOS router.

Comments
Josh Peters
Level 1
Level 1

Would this also affect VPN 3000 Series WebVPN client? We are having several users now reporting issues with their SSL VPN since the last MS Update on Tuesday.

Josh Peters
Level 1
Level 1

I have confirmed this does also affect the WebVPN SSL Client in the Cisco 3000 Series VPN concentrator.

Tommy Alexander
Cisco Employee
Cisco Employee

Yes, It will also affect the 3000 concentrator with Cisco SSL VPN Client.

Unfortunately, at this time as the 3000 concentrator is already reached end of software maintenance, so no new fixes will be available.

The only current option is to remove the security update from MS.

Tommy Alexander
Cisco Employee
Cisco Employee

Please check the new workaround with registry settings - this should be fair compromise without being vulnerable.

Josh Peters
Level 1
Level 1

Ok.I'm testing the new work-around now. Thanks for the update.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: