Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
5
Helpful
1
Replies

Doubt about "Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability"

flleandro
Level 1
Level 1

‎02-21-2018 09:01 AM - edited ‎02-21-2020 10:46 AM

Hello,

Could someone clarify the following question, please?

Due to this Advisory ID cisco-sa-20180129-asa1, I upgraded from version 9.6(3)20 to version 9.6.4(3) as indicated.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

According to the information, the upgrade would fix the vulnerability. So we could continue to use the Features without problems, right?

In this case, I use AnyConnect IKEv2 Remote Access (with client services) and I need to continue using it.

If I continue to use this feature, will I still be at risk?

Are the SSL and DTLS listen sockets output above normal or should they be different after the upgrade?

 

--------------------------------------------
::: ASA device with SSL and DTLS listen sockets:

asa# show asp table socket | include SSL|DTLS
SSL 00013b78 LISTEN 123.123.123.123:443 0.0.0.0:*
DTLS 000143e8 LISTEN 123.123.123.123:443 0.0.0.0:*
--------------------------------------------

::: Feature:

AnyConnect IKEv2 Remote Access (with client services)
--------------------------------------------

::: Configuration:

asa# show running-config crypto ikev2 | include enable
crypto ikev2 enable outside client-services port 443
--------------------------------------------

::: SSL system statistics

asa# show asp table socket stats protocol ssl

NP SSL System Stats:
Handshake Started: 1012
Handshake Complete: 890
SSL Open: 11
SSL Close: 1703
SSL Server: 1066
SSL Server Verify: 0
SSL Client: 0
--------------------------------------------

 

Thanks!

Att, 

Flavio

 

Labels:
0 Helpful
1 Reply 1

Ben Walters
Level 3
Level 3

‎02-21-2018 09:17 AM

You are correct, if you are using the updated code from Cisco the vulnerability has been patched and you can continue on using the VPN features of the firewall.

 

I noticed the SSL/DTLS commands outputs didn't change any after the update which they shouldn't. The new code wouldn't have modified your config it would have just patched the security hole that existed for those processes.

Customers Also Viewed These Support Documents