Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2150
Views
5
Helpful
2
Replies

ASA5506x httponly vulnerabilty

peat
Level 1
Level 1

‎03-08-2021 05:56 AM

Ive managed to get rid of this vulnerability on other ASA5506Xs by enabling the http-only VPN cookie option. but on another one i look after this hasn't cleared the vulnerability.

The greenbone scan returns this:

 Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_portal=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnSharePoint=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: samlPreauthSessionHash=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: acSamlv2Error=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=***replaced***; path=/; secure

are missing the "httpOnly" attribute.

 

Does anyone know how I sort these out?  The firewalls clock is correct so not sure where those expiry dates are coming from.

 

I did see this exact issue was a bug in the OS last year but this firewall is on version 9.8(4)32

 

 

3 people had this problem
Labels:
0 Helpful
2 Replies 2

phil.smith
Level 1
Level 1

‎12-13-2021 01:41 PM

Hi There,

 

did you ever find a fix for this as i have a single 5506 that is displaying this exact issue, while others are fine. currently on firmware 9.14(3)15

0 Helpful

peat
Level 1
Level 1
In response to phil.smith

‎02-04-2022 05:46 AM

No. 

Ive just had to ignore the result on greenbone.

Customers Also Viewed These Support Documents