Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

POODLE vulnerability - ASA 5520

Hi

 

I would like to know if my firewalls ASA 5520 (Cisco Adaptive Security Appliance Version 8.4(6), 8.2(1)) are vulnerables to the Poodle vulnerability.

 

Which workaround should i do??? it would have any impact in my VPN or servers DMZ????

 

Thanks...

1 REPLY
Cisco Employee

Hi , Both these  ASA versions

Hi ,

Both these  ASA versions are vulnerable 

Conditions:
The default configuration of SSL on all versions of the ASA enables SSLv3.
Due to CSCug51375, the ASA is unable to disable SSLv3 on ASA v9.0.x and v9.1.1.x.

To see the SSL configuration:
show run all ssl

Default configuration of the ASA:
ssl client-version any
ssl server-version any

The following non-default configuration values also enable SSLv3:
ssl client-version sslv3-only
ssl client-version salve
ssl server-version sslv3-only
ssl server-version sslv3

The following versions are vulnerable regardless of ssl configuration:
* 9.0.x
* 9.1.1.x

Workaround:
Disable SSLv3, write the changes to the startup-config.

This workaround only applies to the following versions:
* 7.x and later
* 8.2 and later
* 8.3 and later
* 8.4 and later
* 8.5 and later
* 8.6 and later
* 8.7 and later
* 9.1.2 and later (with CSCug51375 fix)
* 9.2.1 and later (with CSCug51375 fix)
* 9.3.1 and later

Use the following config-mode commands:

ssl server-version tlsv1
ssl client-version tlsv1-only

There is no need to reboot. The configuration must be saved via "write memory".
 

Here is the bug details CSCur23709

Known fixed ASA versions 9.0(4.201) ,9.2(2.103),9.3(1.1)

 

Thanks,

Prashant Joshi

 

2802
Views
0
Helpful
1
Replies
CreatePlease to create content