ASA evaluation of SSLv3 POODLE vulnerability at https://tools.cisco.com/bugsearch/bug/CSCur23709 only mentions ASA 5500-X but not ASA 55xx appliances and ASA SM. Does this mean ASA 55xx appliances and ASA SM are not affected by the vulnerability?
They use the term "Cisco ASA 5500-X Series Next-Generation Firewalls" in a generic sense. Given that the known affected versions include ASA 8.2, 8.3 and 8.4 software (which run on the legacy ASA 5500s), then I'd say yes it includes the ASA 5500 (non-X) series.
The actual security vulnerability announcement confirms that the vulnerability applies to the software - not necessarily the hardware platform per se.
Given that the ASA Service Module code base is based on the affected software (even though they are silent re 8.5 which you could be running on the ASA SM) I'd say it would be a good idea to mitigate that platform as well if you have it.
I can't say for sure as those software versions aren't specifically named in the BugID for this vulnerability.
In any case, the workaround to mitigate it is simple enough so you you can just go ahead and deploy:
ssl client-version tlsv1-only
ssl server-version tlsv1
There's no adverse impact to any other services on the system.
The work around happens to not be applicable for the version I'm running. The vulnerability could affect an ASA if "A block cipher in CBC mode is one of the transform sets being offered".
How do I know if a block cipher in CBC mode is one of the transform sets I have configured? I cannot find any further details from Cisco regarding this.
What version are you running on your ASA?
ssl client-version and ssl server-version were both introduced in 7.0(1) quite some time ago...
The way I understand it...
If your ASA acts as an https server for downloading AnyConnnect software to VPN Users, or if you use clientless VPN or ASDM -and- if you have ssl server-version any then you are at risk due to the clients browser negotiating down to SSLv3.
Hope this helps.
Hello. I have these 2 commands running
ssl server-version tlsv1-only
ssl client-version tlsv1-only
But when I run this tool https://www.ssllabs.com the vulnerability still there...
Cisco ASA 5520 9.0(1)
The list of fixed releases for bug CSCur23709 lists 9.0(4.201). When will it be generally available? I don't see it on the ASA5525 Interim Releases page.
Also, Bug CSCur23709 refers to a fix for CSCug51375 as being available for releases 9.1.2 and later but I can find no reference to it in any of the Interim Release notes.
Finally, there is no indication of when a fixed release might be available. Can you comment?
Yes, it is.
Please refer t the link I provided earlier and, in that page, under affected products you can see a follow-on link to the actual BugID for the ASA (cisco.com login required).
Are you sure? I see nothing that indicates v9.1(5) is vulnerable, only v9.1(1). Some clarity would be nice on this topic as earlier in this thread you agree that because 9.1(3) isn't mentioned you can't say for sure if it's vulnerable. Then to the question of v9.1(5) you agree it is..
Cisco has updated the BugID since my original posting to indicate the ASA vulnerability applies to " 9.1.2 and later".
Yep, I had opened a ticket last night specifically mentioning the advisory and received confirmation. Glad they updated the article! :)
"Yes, the ASA version 9.1.5 is vulnerable. The fixed release is ASA version 9.2(2.103) and 9.3(1.1). So any versions before these versions are vulnerable."