ASA , vpn concentrator 3000, IOS with SSLVPN client (SVC) stops working after MS security update

Document

Aug 13, 2010 1:21 PM
Aug 13th, 2010

With the SSL inline renegotiation vulnerability, MS has published two security updates.

http://support.microsoft.com/kb/977377

http://support.microsoft.com/kb/980436 - This is installed automatically with windows update.

This is explained in more detail in following security bulletin from Microsoft:

http://www.microsoft.com/technet/security/bulletin/ms10-049.mspx

This will disable ssl re-negotiations and also add a  TLS Renego extension in the client hello, which SSL servers like VPN 3000 concentrator will fail SSL handshake.

Symptoms

1) The SSLVPN client (not anyconnect client) will fail to connect after Security update.

    It affects both connection to the ASA , the Cisco VPN 3000 concentrator, AND IOS routers.

    ASA users can upgrade from SSL vpn client to Anyconnect and that should resolve this issue.

2) Webvpn clientless session from a browser will fail to a ASA  headend running 8.2.1 to 8.2.1.15 and client certificate authenticate is  enabled, with above security updates  installed

3) Anyconnect weblaunch will also fail due clientless webvpn failing.

Workarounds

1) Upgrade client to Anyconnect client if using a ASA as the headend device. VPN 3000 concentrator does not support Anyconnect. IOS headend can be upgraded to 12.4(15)T or later which supports Anyconnect.

2)  Per http://support.microsoft.com/kb/980436, you can change add this DWORD value to the windows registry and change it to a non-zero value to enable the the SSLVPN client (SVC 1.x) functionality:


HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL


DWORD: UseScsvForTls  Value:  non-zero (I used 1)  Effect:  Client sends SCSV for TLS protocol

This just disables using the TLS Renego extension in the SSL hello, and this is a workaround for the 3000 concentrator as it does not support the anyconnect product.

3) For the  Cisco sslvpn client, remove the MS security update above. This should be done at your own risk and machine will be vulnerable as

per security bulletin.

Resolution

1) For clientless and weblaunch of anyconnect not working when  using client side certificates in 8.2.x versions, upgrade to latest  8.2.x version.  The version should be 8.2.1.16 or later, such as 8.2.2 or 8.2.3. This  has the fix for bug CSCtd00697  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd00697

2) For VPN 3000 concentrator and ssl vpn client, as the product is end of software maintenance, the only option is to upgrade to a headend that supports anyconnect like ASA or IOS router.

Average Rating: 0 (0 ratings)

Comments

Josh Peters Fri, 08/13/2010 - 15:25

Would this also affect VPN 3000 Series WebVPN client? We are having several users now reporting issues with their SSL VPN since the last MS Update on Tuesday.

thalexan Fri, 08/13/2010 - 18:15 (reply to Josh Peters)

Yes, It will also affect the 3000 concentrator with Cisco SSL VPN Client.

Unfortunately, at this time as the 3000 concentrator is already reached end of software maintenance, so no new fixes will be available.

The only current option is to remove the security update from MS.

thalexan Wed, 08/18/2010 - 20:29 (reply to Josh Peters)

Please check the new workaround with registry settings - this should be fair compromise without being vulnerable.

Actions

Login or Register to take actions

This Document

Posted August 13, 2010 at 1:21 PM
Stats:
Comments:5 Avg. Rating:0
Views:4543 Contributors:2
Shares:0
Categories: AnyConnect, ASA
+

Related Content

Documents Leaderboard

Rank Username Points
1 65
2 56
3 55
4 30
5 24
Rank Username Points
10