Guest

Preview Tool

Cisco Bug: CSCul78956 - ASA-CX Vulnerability: TLS/SSL Server Supports Weak Cipher Algorithms

Last Modified

Jul 01, 2015

Products (1)

  • Cisco ASA Next-Generation Firewall Services

Known Affected Releases

9.1(2) 9.2(1.2.42)

Description (partial)

Symptom:
Getting the following reports while scanning CX module.
The TLS/SSL server supports cipher suites based on weak algorithms. This may enable an 
attacker to launch man-in-the-middle attacks and monitor or tamper with sensitive data. In general, 
the following ciphers are considered weak:

??       So called ''null'' ciphers, because they do not encrypt data.
??       Export ciphers using secret key lengths restricted to 40 bits. This is usually indicated by the 
word EXP/EXPORT in the name of the cipher suite.
??       Obsolete encryption algorithms with secret key lengths considered short by today's 
standards, eg. DES or RC4 with 56-bit keys
Solution
Disable SSL support for weak ciphers

Configure the server to disable support for weak ciphers.

For Microsoft IIS web servers, see Microsoft Knowledgebase article 245030 for instructions on 
disabling weak ciphers.

For Apache web servers with mod_ssl, edit the Apache configuration file and change the 
SSLCipherSuite line to read:

SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4 RSA: HIGH: MEDIUM
For other servers, refer to the respective vendor documentation to disable the weak ciphers

Conditions:
CX module running 9.1.2(42) and using Rapid 7  running V 5.7.18 with last content update on 
11/25, version 3459324873
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.