Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7666
Views
0
Helpful
3
Replies

Vulnerability Management Report

Go to solution
oosama123
Level 1
Level 1

‎03-22-2017 11:58 PM - edited ‎03-12-2019 02:06 AM

after scan finished for Vulnerability Management Report , i found those notes :

Cisco Catalyst / Cisco PIX 7.x / Cisco ASA Firewall / Juniper Networks Application Acceleration Platform DX

38498

Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

2

500

udp

CVE-2002-1623

4.3

yes

Cisco IOS 11-15

42395

Encrypted Management Interfaces Accessible On Cisco Device

2

5.2

yes

to be honest am not that good with Cisco , can you help me with this  :) ?

7 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-23-2017 12:35 AM

The vulnerability listing sounds like you are using an old EZVPN setup on your ASA. That's very old technology and as long as you keep using that you will have that vulnerability.

You should migrate to the current SSL VPN (AnyConnect type) to mitigate those vulnerabilities.

If you aren't using EZVPN, it could be a false positive as most site-site VPNs use Main Mode vs. Aggressive Mode. An external scan is not able to tell which is in use, only that the ASA is listening to certain ucp ports (udp/500 in this case) and they infer that you are potentially vulnerable as a result.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎03-23-2017 12:35 AM

The vulnerability listing sounds like you are using an old EZVPN setup on your ASA. That's very old technology and as long as you keep using that you will have that vulnerability.

You should migrate to the current SSL VPN (AnyConnect type) to mitigate those vulnerabilities.

If you aren't using EZVPN, it could be a false positive as most site-site VPNs use Main Mode vs. Aggressive Mode. An external scan is not able to tell which is in use, only that the ASA is listening to certain ucp ports (udp/500 in this case) and they infer that you are potentially vulnerable as a result.

0 Helpful

Go to solution
oosama123
Level 1
Level 1
In response to Marvin Rhoads

‎03-23-2017 01:46 AM

thank you for this perfect answer :) ,, in fact am using ASA 5100 it's an old one

and allow me this silly question : how i check if VPN is EZVPN  ?? :) :)

and one more thing : what about second point : Encrypted Management Interfaces Accessible On Cisco Device?

really , really thank you

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to oosama123

‎03-23-2017 02:49 AM

EZ VPN configuration will have a line like "nem enable" under the group-policy ("show run group-policy") if the ASA is a server. If it acts as a client, it will have a configuration lines with "vpnclient" (show run vpnclient). In either of those cases, you have to use Aggresive Mode which is considered vulnerable. 

If it has neither then it's just a normal IPsec headend and you can disable Aggresive Mode or AM (though it may still show as a false positive since the scan is only probing for ports and not actually negotiating a VPN and seeing that AM is disabled).

the scond vulenrability is usually related to the first. However since they did not give you a specific CVSS to confirm it's a bit ambiguous.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card