×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

POODLE vulnerability - ASA 5520

Unanswered Question
Nov 5th, 2014
User Badges:

Hi

 

I would like to know if my firewalls ASA 5520 (Cisco Adaptive Security Appliance Version 8.4(6), 8.2(1)) are vulnerables to the Poodle vulnerability.

 

Which workaround should i do??? it would have any impact in my VPN or servers DMZ????

 

Thanks...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Prashant Joshi Wed, 11/05/2014 - 03:44
User Badges:
  • Cisco Employee,

Hi ,

Both these  ASA versions are vulnerable 

Conditions:
The default configuration of SSL on all versions of the ASA enables SSLv3.
Due to CSCug51375, the ASA is unable to disable SSLv3 on ASA v9.0.x and v9.1.1.x.

To see the SSL configuration:
show run all ssl

Default configuration of the ASA:
ssl client-version any
ssl server-version any

The following non-default configuration values also enable SSLv3:
ssl client-version sslv3-only
ssl client-version salve
ssl server-version sslv3-only
ssl server-version sslv3

The following versions are vulnerable regardless of ssl configuration:
* 9.0.x
* 9.1.1.x

Workaround:
Disable SSLv3, write the changes to the startup-config.

This workaround only applies to the following versions:
* 7.x and later
* 8.2 and later
* 8.3 and later
* 8.4 and later
* 8.5 and later
* 8.6 and later
* 8.7 and later
* 9.1.2 and later (with CSCug51375 fix)
* 9.2.1 and later (with CSCug51375 fix)
* 9.3.1 and later

Use the following config-mode commands:

ssl server-version tlsv1
ssl client-version tlsv1-only

There is no need to reboot. The configuration must be saved via "write memory".
 

Here is the bug details CSCur23709

Known fixed ASA versions 9.0(4.201) ,9.2(2.103),9.3(1.1)

 

Thanks,

Prashant Joshi

 

Actions

This Discussion