on 08-13-2010 01:21 PM
With the SSL inline renegotiation vulnerability, MS has published two security updates.
http://support.microsoft.com/kb/977377
http://support.microsoft.com/kb/980436 - This is installed automatically with windows update.
This is explained in more detail in following security bulletin from Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx
This will disable ssl re-negotiations and also add a TLS Renego extension in the client hello, which SSL servers like VPN 3000 concentrator will fail SSL handshake.
Symptoms
1) The SSLVPN client (not anyconnect client) will fail to connect after Security update.
It affects both connection to the ASA , the Cisco VPN 3000 concentrator, AND IOS routers.
ASA users can upgrade from SSL vpn client to Anyconnect and that should resolve this issue.
2) Webvpn clientless session from a browser will fail to a ASA headend running 8.2.1 to 8.2.1.15 and client certificate authenticate is enabled, with above security updates installed
3) Anyconnect weblaunch will also fail due clientless webvpn failing.
Workarounds
1) Upgrade client to Anyconnect client if using a ASA as the headend device. VPN 3000 concentrator does not support Anyconnect. IOS headend can be upgraded to 12.4(15)T or later which supports Anyconnect.
2) Per http://support.microsoft.com/kb/980436, you can change add this DWORD value to the windows registry and change it to a non-zero value to enable the the SSLVPN client (SVC 1.x) functionality:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL
DWORD: UseScsvForTls Value: non-zero (I used 1) Effect: Client sends SCSV for TLS protocol
This just disables using the TLS Renego extension in the SSL hello, and this is a workaround for the 3000 concentrator as it does not support the anyconnect product.
3) For the Cisco sslvpn client, remove the MS security update above. This should be done at your own risk and machine will be vulnerable as
per security bulletin.
Resolution
1) For clientless and weblaunch of anyconnect not working when using client side certificates in 8.2.x versions, upgrade to latest 8.2.x version. The version should be 8.2.1.16 or later, such as 8.2.2 or 8.2.3. This has the fix for bug CSCtd00697 http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd00697
2) For VPN 3000 concentrator and ssl vpn client, as the product is end of software maintenance, the only option is to upgrade to a headend that supports anyconnect like ASA or IOS router.
Would this also affect VPN 3000 Series WebVPN client? We are having several users now reporting issues with their SSL VPN since the last MS Update on Tuesday.
I have confirmed this does also affect the WebVPN SSL Client in the Cisco 3000 Series VPN concentrator.
Yes, It will also affect the 3000 concentrator with Cisco SSL VPN Client.
Unfortunately, at this time as the 3000 concentrator is already reached end of software maintenance, so no new fixes will be available.
The only current option is to remove the security update from MS.
Please check the new workaround with registry settings - this should be fair compromise without being vulnerable.
Ok.I'm testing the new work-around now. Thanks for the update.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: