How would you suggest I deal with the vunerability? I'm already filtering by mac address and modified the login page to include unauthorized access.

Do you have some more information on which vulnerability is being hit, like CVE number etc? Usually, if you are running the latest version of the ASA, most of the vulnerabilities should be patched. The last vulnerability that I saw on the Cisco advisory that matches your scenario is detailed in this blog:

http://blogs.cisco.com/security/cisco-psirt-notice-about-public-exploitation-of-the-cisco-asa-clientless-ssl-vpn-portal-customization-integrity-vulnerability

I have a ASA 5512x with latest IOS and ASDM 7.1 along with anyconnect 3.0. I've been on several TAC support calls trying to explain this to them as well and they recommended filtering by mac address by policy through the ASDM. We only have one laptop used for remote vpn. 

I;m waiting on the report (cve info) from the pen test contractor but he had sent me this email.

cleartext or SSL vulnerabilities on my firewall listed in your report.  Those should be cleared up.  If you don’t want to use access control, two factor authentication should be used with AnyConnect – Duo is a good inexpensive option.  But regardless, the vulnerabilities should be cleared up IMHO as they are in every other institution I scan. 

TAC support is great but not NCUA examiner.  They see red all over the scan, they’ll want explanations in the report.

From my experience I’ve only seen one example of a bad guy compromising a cleartext vulnerability many years ago.  You have to be freakish to exploit SSL.  The chances that it would ever happen to your CU is infinitesimally small.  Having said that, I’ve never seen an institution not clear up those vulnerabilities.   

So, I opened a TAC service request and discovered this time that the TSL1v needed upgraded. My asa software is at 9.1.17.15 in ordered to  upgrade to fix this and certificates, I would need to also upgrade to anyconnect 4.0 from my current 3.0. Is there an upgrade in between that addresses this vunerability and allows me to keep 3.0?

Thanks,

Dave

If you have an ASA 5512-X, the latest software is not "9.1.17.15".  (I assume you meant 9.1.7.15.)

You should be running a release like 9.4.4.5, which is recommended by Cisco as seen here:

https://software.cisco.com/download/release.html?mdfid=284143128&flowid=31442&softwareid=280775065&release=9.4.4%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

It does address all currently identified SSL/TLS vulnerabilities, assuming you configure it properly to disable SSLv3 and disable the use of weak ciphers.

AnyConnect 3.x is end of support and Cisco strongly recommends migrating to AnyConnect 4.x.

http://www.cisco.com/c/en/us/products/collateral/security/anyconnect-secure-mobility-client/eos-eol-notice-c51-734084.html

You may be able to pass your audit using the latest 3.x release (3.1.14018) but that's just buying you time. Anyconnect 4.x is really a better path.

Thank you for all the help...Purchasing the new anyconnect and upgrading the ASA 9.4 after that. From what I read, it should mitigate the vunerabilities.

I already have the "keep out" command configured.

Dave

i know that thread is bit old, but thought it useful to share the way that I have solve the same issue. I have added a rule on the portal access rules to deny any accesss, the configuration as below ;-

webvpn

portal-access-rule 1 deny user-agent match **

hope that will help others 

Mazin