×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

POODLE attack

Unanswered Question
Nov 22nd, 2016
User Badges:

Dear Team,

Our device we identified poodle attack vulnerable, hence kindly advice me to which ios i needs to upgrade ?

Currently Running : asa825-k8.bin | Adaptive Security Appliance Software Version 8.2(5) | ASA5510

Waiting for your reply.

Thanks & Regards,

Ramesh Babu.A.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JP Miranda Z Thu, 11/24/2016 - 17:07
User Badges:
  • Cisco Employee,

Hi Ramesh,


This links is definitely going to help you:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...

Solution

Cisco has implemented these solutions to this problem:

  1. All versions of AnyConnect that previously supported (negotiated) SSLv3 have been deprecated and the versions available for download (both v3.1x and v4.0) will not negotiate SSLv3 so they are not susceptible to the issue.

  2. The ASA's default protocol setting has been changed from SSLv3 to TLSv1.0 so that as long as the incoming connection is from a client that supports TLS, that is what will be negotiated.

  3. The ASA can be manually configured to accept only specific SSL protocols with this command:

    ssl server-version

    As mentioned in solution 1, none of the currently supported AnyConnect clients negotiate SSLv3 anymore, so the client will fail to connect to any ASA configured with either of these commands:
    ssl server-version sslv3
    ssl server-version sslv3-only

    However, for deployments that use the v3.0.x and v3.1.x AnyConnect versions that have been deprecated (which are all AnyConnect build versions PRE 3.1.05182), and in which SSLv3 negotiation is specifically used, the only solution is to eliminate the use of SSLv3 or consider a client upgrade.

  4. The actual fix for POODLE BITES (Cisco bug ID CSCus08101) will be integrated into the latest interim release versions only. You can upgrade to an ASA version that has the fix to solve the problem. The first available version on Cisco Connection Online (CCO) is Version 9.3(2.2). 

    The first fixed ASA software releases for this vulnerability are as follows:
    • 8.2 Train:   8.2.5.55
    • 8.4 Train:   8.4.7.26
    • 9.0 Train:   9.0.4.29
    • 9.1 Train:   9.1.6
    • 9.2 Train:   9.2.3.3
    • 9.3 Train:   9.3.2.2

TLSv1.2

  • The ASA supports TLSv1.2 as of software version 9.3(2).
  • AnyConnect Version 4.x clients all support TLSv1.2.

This means:

  • If you use Clientless WebVPN, then any ASA that runs this version of software or higher can negotiate TLSv1.2.

  • If you use the AnyConnect client, in order to use TLSv1.2, you will need to upgrade to Version 4.x clients.

Hope this info helps!!


Rate if helps you!! 


-JP-

Actions

This Discussion