Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

POODLE vulnerability - Are ASA 5500's and ASA SM unaffected?

ASA evaluation of SSLv3 POODLE vulnerability at https://tools.cisco.com/bugsearch/bug/CSCur23709 only mentions ASA 5500-X but not ASA 55xx appliances and ASA SM. Does this mean ASA 55xx appliances and ASA SM are not affected by the vulnerability?

13 REPLIES
Hall of Fame Super Silver

They use the term "Cisco ASA

They use the term "Cisco ASA 5500-X Series Next-Generation Firewalls" in a generic sense. Given that the known affected versions include ASA 8.2, 8.3 and 8.4 software (which run on the legacy ASA 5500s), then I'd say yes it includes the ASA 5500 (non-X) series.

The actual security vulnerability announcement confirms that the vulnerability applies to the software - not necessarily the hardware platform per se.

Given that the ASA Service Module code base is based on the affected software (even though they are silent re 8.5 which you could be running on the ASA SM) I'd say it would be a good idea to mitigate that platform as well if you have it.

New Member

Marvin,Thank you for your

Marvin,

Thank you for your quick and insightful response.

I agree with your recommendations.

Nathan

 

New Member

Hello,are these versions

Hello,

are these versions affected?

 

asa                         9.3(1)    
asa                         9.1(3)    
fwsm                      4.1(15)

Hall of Fame Super Silver

I can't say for sure as those

I can't say for sure as those software versions aren't specifically named in the BugID for this vulnerability.

In any case, the workaround to mitigate it is simple enough so you you can just go ahead and deploy:

ssl client-version tlsv1-only
ssl server-version tlsv1

There's no adverse impact to any other services on the system.

New Member

The work around happens to

The work around happens to not be applicable for the version I'm running.  The vulnerability could affect an ASA if "A block cipher in CBC mode is one of the transform sets being offered".  

How do I know if a block cipher in CBC mode is one of the transform sets I have configured?  I cannot find any further details from Cisco regarding this.

 

Cheers,

Jnomm

New Member

jnommensen,What version are

jnommensen,

What version are you running on your ASA?

ssl client-version and ssl server-version were both introduced in 7.0(1)  quite some time ago...

The way I understand it... 

If your ASA acts as an https server for downloading AnyConnnect software to VPN Users, or if you use clientless VPN or ASDM   -and-  if you have ssl server-version any then you are at risk due to the clients browser negotiating down to SSLv3. 

Hope this helps. 


Tim

 

 

New Member

Hello. I have these 2

Hello. I have these 2  commands running

ssl server-version tlsv1-only
ssl client-version tlsv1-only

 

But when I run this tool https://www.ssllabs.com the vulnerability still there...

Cisco ASA 5520 9.0(1)

 

Thanks

New Member

The list of fixed releases

The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.

Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.

Finally, there is no indication of when a fixed release might be available. Can you comment?

New Member

Does anyone know if the CISCO

Does anyone know if the CISCO ASA 9.1(5) is affected?.  Device Type: 5525.

Where do I get this information?.

 

Thank you.

Hall of Fame Super Silver

Yes, it is.Please refer t the

Yes, it is.

Please refer t the link I provided earlier and, in that page, under affected products you can see a follow-on link to the actual BugID for the ASA (cisco.com login required).

New Member

Are you sure?  I see nothing

Are you sure?  I see nothing that indicates v9.1(5) is vulnerable, only v9.1(1).  Some clarity would be nice on this topic as earlier in this thread you agree that because 9.1(3) isn't mentioned you can't say for sure if it's vulnerable.  Then to the question of v9.1(5) you agree it is..

Hall of Fame Super Silver

Cisco has updated the BugID

Cisco has updated the BugID since my original posting to indicate the ASA vulnerability applies to " 9.1.2 and later".

Reference

New Member

Yep, I had opened a ticket

Yep, I had opened a ticket last night specifically mentioning the advisory and received confirmation.  Glad they updated the article! :)

"Yes, the ASA version 9.1.5 is vulnerable. The fixed release is ASA version 9.2(2.103) and 9.3(1.1). So any versions before these versions are vulnerable."

10576
Views
4
Helpful
13
Replies
CreatePlease login to create content