Solved: vulnerability for Diffie-Hellman < 1024 Bits (Logjam) on the VPN

mahesh18 · ‎08-17-2015

Hi Everyone,

Scans from external vendor shows vulnerability for Diffie-Hellman < 1024 Bits (Logjam) on the VPN on our Cisco ASA running VPN.

Any idea how can i fix this on Cisco ASA 5520?

Regards

Mahesh

Marvin Rhoads · ‎08-20-2015

IT depends on how the scan was performed. If they are only checking your public-facing outside address then not having SSL services on it will make the vulnerability "disappear".

If you need the service off of all interfaces then you would need to upgrade so that SSL services are patched no matter what interface they are seen on.

Or you could just not patch it and accept the risk.

View solution in original post

Marvin Rhoads · ‎08-21-2015

Mahesh,

"Known affected releases" usually indicates that TAC cases have been reported by customers and verified by Cisco to affect those versions.

They don't regression test every old version when a bug is discovered but usually verify the fix is in currently active release trains.

The ASA 100.x version numbers are Cisco's internal tracking numbers for code versions still in pre-release development.

View solution in original post

Marvin Rhoads · ‎08-17-2015

Per this Cisco Security Advisory and the related BugID for the ASA, I believe it should be fixed in ASA software 9.1(6.7).

mahesh18 · ‎08-19-2015

Is there any other I an fix this?

like config of Diffie Hellman on ASA?

Regards

MAhesh

Marvin Rhoads · ‎08-20-2015

If you don't use the ASA for SSL VPN you could disable SSL.

If you need SSL VPN, then the upgrade is the route to take. It will patch the OpenSSL library used by the ASA.

mahesh18 · ‎08-20-2015

Hi Marvin,

We have no SSL vpn just Anyconnect with ikev2.

However we have below config

anyconnect ssl dtls enable

This is just in case if we make any change to anyconnect xml profile then users can download it.

Do you think above config will trigger the Diffie Hellman vulnerability?

Regards

Mahesh

Marvin Rhoads · ‎08-20-2015

IT depends on how the scan was performed. If they are only checking your public-facing outside address then not having SSL services on it will make the vulnerability "disappear".

If you need the service off of all interfaces then you would need to upgrade so that SSL services are patched no matter what interface they are seen on.

Or you could just not patch it and accept the risk.

mahesh18 · ‎08-21-2015

Yes scan only checks public facing IP address.

I checked your link and it shows below info

Last Modified:

Aug 19,2015

Status:

Fixed

Severity:

2 Severe

Product:

Cisco ASA 5500-X Series Next-Generation Firewalls

Support Cases:

37

Known Affected Releases:

(6)

7.2(1)

8.2(1)

8.2(5)

9.0(1)

9.2(1)

9.3(2)

Known Fixed Releases:

(25)

100.12(0.131)

100.13(0.81)

100.13(0.82)

100.14(0.51)

100.14(0.54)

100.14(16.1)

100.14(5.23)

100.14(7.43)

100.15(0.17)

ASA version which we are running is 8.4(7)28

So does it mean we are not effected by this ?

Regards

Mahesh

Marvin Rhoads · ‎08-21-2015

Mahesh,

"Known affected releases" usually indicates that TAC cases have been reported by customers and verified by Cisco to affect those versions.

They don't regression test every old version when a bug is discovered but usually verify the fix is in currently active release trains.

The ASA 100.x version numbers are Cisco's internal tracking numbers for code versions still in pre-release development.

mahesh18 · ‎08-23-2015

Many thanks Marvin

Regards

Mahesh