Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vulnerabilities associated with ASA 5520

 

Hi everyone,

 

Scan results shows that ASA 5520 config for ipsec and anyconnect ikev2 has following vulnerability

Medium strength ciphers supported-----The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.

 

Reconfigure the affected application if possible to avoid use of medium strength ciphers.

 

ASA is not using SSL anyconnect.

SSL config on ASL

 

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5

ssl trust-point ASDM_TrustPoint0 outside

  anyconnect ssl dtls enable

  anyconnect ssl keepalive none

  anyconnect ssl rekey time none

  anyconnect ssl rekey method none

  anyconnect ssl compression deflate

vpn-tunnel-protocol ikev1 ssl-client

 

To fix this do i need to remove config --anyconnect ssl dtls enable??

Also currently FIPS is not enabled on ASA should i enable to get rid of scan results?

 

Regards

MAhesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Purple

With the following line in

With the following line in your config

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5

You are running ciphers that are weak. You should remove any rc4- and des-ciphers. If compatibility permits it, you could also remove 3des as a legacy algorithm.
 
Depending on your version you could also enable the ciphers "dhe-aes128-sha1" and "dhe-aes256-sha1".
 
DTLS has nothing to do with this.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
VIP Purple

yes, just set the new ciphers

yes, just set the new ciphers-string and you are ready. I didn't test that, but I would assume that any running connection with a removed cipher *could* get disconnected. But you don't want them anyway and when they reconnect they will pick one of the better ciphers.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
7 REPLIES

Hi Mahesh, It seems that

Hi Mahesh,

 

It seems that still no updates from cisco against this vulnerability. They will release the new version of OS after fixing this vulnerability. You can go through the below mentioned link in detail.

 

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

 

Regards

Karthik

VIP Purple

With the following line in

With the following line in your config

ssl encryption aes256-sha1 aes128-sha1 3des-sha1 des-sha1 rc4-sha1 rc4-md5

You are running ciphers that are weak. You should remove any rc4- and des-ciphers. If compatibility permits it, you could also remove 3des as a legacy algorithm.
 
Depending on your version you could also enable the ciphers "dhe-aes128-sha1" and "dhe-aes256-sha1".
 
DTLS has nothing to do with this.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

 Hi Karsten,i checked my ASA

 

Hi Karsten,

i checked my ASA i have below options

ssl encryption aes256-sha1 ?

configure mode commands/options:
  3des-sha1        Indicate use of 3des-sha1 for ssl encryption
  aes128-sha1      Indicate use of aes128-sha1 for ssl encryption
  des-sha1         Indicate use of des-sha1 for ssl encryption
  dhe-aes128-sha1  Indicate use of dhe-aes128-sha1 for ssl encryption
  dhe-aes256-sha1  Indicate use of dhe-aes256-sha1 for ssl encryption
  null-sha1        Indicate use of null-sha1 for ssl encryption (NOTE: Data is NOT encrypted if this cipher is chosen)
  rc4-md5          Indicate use of rc4-md5 for ssl encryption
  rc4-sha1         Indicate use of rc4-sha1 for ssl encryption

so below Config will take care of all the weak ciphers?


5520(config)# ssl encryption aes256-sha1 dhe-aes128-sha1 dhe-aes256-sha1

and i can do this on fly as it should not cause any outage.?

I can simply remove current ssl encryption config and replace it with above config?

Best Regards

MAhesh

 

VIP Purple

yes, just set the new ciphers

yes, just set the new ciphers-string and you are ready. I didn't test that, but I would assume that any running connection with a removed cipher *could* get disconnected. But you don't want them anyway and when they reconnect they will pick one of the better ciphers.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

 Hi Karsten, Many thanks for

 

Hi Karsten,

 

Many thanks for answering my post.

It was pretty hard for me to find answer for this over the internet.

Best Regards

Mahesh

VIP Purple

Another config that I forgot,

Another config that I forgot, but that also could be found by an assessment, is the accepted SSL/TLS-version of the ASA. This is the default:

asa# sh run all ssl
ssl server-version any

Here you should change the setting to only accept TLSv1:

ssl server-version tlsv1-only

At least on up-to date operating systems I haven't seen any compatibility-issues with that.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

 Thanks Karsten for more

 

Thanks Karsten for more update on this.

Best Regards

Mahesh

 

1188
Views
0
Helpful
7
Replies