Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

POODLE attack

Dear Team,

Our device we identified poodle attack vulnerable, hence kindly advice me to which ios i needs to upgrade ?

Currently Running : asa825-k8.bin | Adaptive Security Appliance Software Version 8.2(5) | ASA5510

Waiting for your reply.

Thanks & Regards,

Ramesh Babu.A.

1 REPLY
Cisco Employee

Hi Ramesh,

Hi Ramesh,

This links is definitely going to help you:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118780-technote-asa-00.html

Solution

Cisco has implemented these solutions to this problem:

  1. All versions of AnyConnect that previously supported (negotiated) SSLv3 have been deprecated and the versions available for download (both v3.1x and v4.0) will not negotiate SSLv3 so they are not susceptible to the issue.

  2. The ASA's default protocol setting has been changed from SSLv3 to TLSv1.0 so that as long as the incoming connection is from a client that supports TLS, that is what will be negotiated.

  3. The ASA can be manually configured to accept only specific SSL protocols with this command:

    ssl server-version

    As mentioned in solution 1, none of the currently supported AnyConnect clients negotiate SSLv3 anymore, so the client will fail to connect to any ASA configured with either of these commands:
    ssl server-version sslv3
    ssl server-version sslv3-only

    However, for deployments that use the v3.0.x and v3.1.x AnyConnect versions that have been deprecated (which are all AnyConnect build versions PRE 3.1.05182), and in which SSLv3 negotiation is specifically used, the only solution is to eliminate the use of SSLv3 or consider a client upgrade.

  4. The actual fix for POODLE BITES (Cisco bug ID CSCus08101) will be integrated into the latest interim release versions only. You can upgrade to an ASA version that has the fix to solve the problem. The first available version on Cisco Connection Online (CCO) is Version 9.3(2.2). 

    The first fixed ASA software releases for this vulnerability are as follows:
    • 8.2 Train:   8.2.5.55
    • 8.4 Train:   8.4.7.26
    • 9.0 Train:   9.0.4.29
    • 9.1 Train:   9.1.6
    • 9.2 Train:   9.2.3.3
    • 9.3 Train:   9.3.2.2

TLSv1.2

  • The ASA supports TLSv1.2 as of software version 9.3(2).
  • AnyConnect Version 4.x clients all support TLSv1.2.

This means:

  • If you use Clientless WebVPN, then any ASA that runs this version of software or higher can negotiate TLSv1.2.

  • If you use the AnyConnect client, in order to use TLSv1.2, you will need to upgrade to Version 4.x clients.

Hope this info helps!!

Rate if helps you!! 

-JP-

52
Views
0
Helpful
1
Replies
CreatePlease to create content