ASA5500 IPsec vpn -vs- Qualys curiosity

nmfoxton · ‎11-18-2021

Hello,

For many years we have operated Cisco ASA's for vpn remote access using AnyConnect IPsec IKEv2 rather than SSL (regulations). They have proven to be successful and reliable, we are currently moving to FPR4100/ASA.

Recently the business has insisted upon Qualys scanning the live service devices while previously i only allowed them access to the test devices which are the same hardware, software, and configuration ... within limits of testing.

Qualys has identified a vulnerability which i find rather random...

"For “UDP Source Port Pass Firewall” vulnerability flagged by Qualys on few servers, this vulnerability is remote discovery and as per detection logic the vulnerability will flag if Firewall policy is allowing the UDP packets with specific source port (in current case for vulnerable hosts it’s port 53) to pass through while it blocks UDP packets to the same destination ports but with a random source port (i.e. 36105, 56966, 43184, 17718 as per Qualys scan results).

As per Qualys recommendation, kindly make sure that all your filtering rules are correct and strict enough. If they are not, change the firewall rules to filter these requests with a particular source port as well i.e. Port 53."

The ASA version is currently 9.14.3.11.

There is a global implicit deny and ssl remote access / portal are disabled.

As all the hardware, software and configs are the same Qualys has not identified all the ASAs vulnerable.

Now i could configure an outside interface bunch of firewall rules to only permit the ports used for vpn, and deny explicitly port53 with source port53 but surely that is already blocked by the global implicit rule? Or is this a new bug? Or is it purely a random result which can be explained by the Firewall needing to listen and terminate udp connections for building vpn tunnels?