To help target different markets and security requirements, Cisco split its hardware module offerings into two distinct categories:. The Content Security and Control Security Services module aims to cover corporate environments where comprehensive malware, advanced content filtering including Web Caching, URL filtering, anti-phishing , and anti-spam filtering is required.
This all-in-one hardware module solution is capable of providing a wealth of security and control capabilities essential for all size networks. Figure 1. The Advanced Inspection and Prevention Security Services modules combine IPS and IDS threat protection with mitigation services aiming to protect and stop malicious traffic before it can affect the network.
Consult the "Software Versions and Fixes" section of this security advisory for more information about the affected versions. Cisco PIX Security Appliances may be affected by some of the vulnerabilities described in this security advisory. Cisco PIX has reached end of software maintenance.
Consult the dedicated section for Cisco PIX Security Appliances in the "Vulnerable Products" section of this security advisory for more information about affected versions. Vulnerable Products For specific version information, refer to the "Software Versions and Fixes" section of this advisory. The following example shows the Cisco ASA Software with SSL VPN enabled on the outside interface: ciscoasa show running-config webvpn webvpn enable outside To determine whether the Cisco ASA Software has the tunnel group configured for a remote AAA server, use the show running-config tunnel-group general-attributes command and verify that the authentication-server-group is set to authenticate to a remote AAA server.
To determine whether SIP inspection is enabled use the show service-policy inspect sip command. Determine the Running Software Version To determine whether a vulnerable version of Cisco ASA Software is running on an appliance, administrators can issue the show version command. Cisco PIX Security Appliance Software is not affected by any other vulnerabilities described in this security advisory. With the exception of the Cisco FWSM, no other Cisco products are currently known to be affected by these vulnerabilities.
The following section provides additional information about each vulnerability. An attacker could exploit this vulnerability by sending a sequence of crafted DHCP packets to the affected system Note: This vulnerability may be triggered by both transit traffic and traffic directed to the affected device.
It requires no client software. A vulnerability exists in the implementation of the authentication, authorization and accounting AAA code for remote the SSL VPN Clientless and AnyConnect feature that could allow an unauthenticated, remote attacker to trigger a reload of the affected system. This vulnerability is due to insufficient validation of a crafted authentication response when a AAA challenge-response is required to complete the authentication process.
Note: Only traffic destined to the affected device can be used to exploit this vulnerability. This vulnerability can be triggered by IPv4 traffic only. A vulnerability exists in the DCERPC inspection engine that would allow an unauthenticated, remote attacker to cause a reload of the affected system or to overflow the stack and possibly execute arbitrary commands.
An attacker could exploit this vulnerability by sending a crafted DCERPC packet that needs to be inspected by the affected system. Note: Only transit traffic can be used to exploit these vulnerabilities. This vulnerabilities affects both routed and transparent firewall mode in both single and multi-context mode. See the following limitations:. We modified the following command: ssl encryption. Support for administrator password policy when using the local database.
When you configure authentication for CLI or ASDM access using the local database, you can configure a password policy that requires a user to change their password after a specified amount of time and also requires password standards such as a minimum length and the minimum number of changed characters.
We introduced the following commands: change-password, password-policy lifetime , password-policy minimum changes , password-policy minimum-length , password-policy minimum-lowercase , password-policy minimum-uppercase , password-policy minimum-numeric , password-policy minimum-special , password-policy authenticate enable , clear configure password-policy , show running-config password-policy.
You can specify a public key file PKF formatted key or a Base64 key. The PKF key can be up to bits. We introduced the following commands: ssh authentication. We introduced the following command: show ssh sessions detail. Formerly, only Group 1 was supported. We introduced the following command: ssh key-exchange.
Support for a maximum number of management sessions. We introduced the following commands: quota management-session , show running-config quota management-session , show quota management-session.
To improve security for management access to the ASA, the default login password for Telnet was removed; you must manually set the password before you can log in using Telnet. Note : The login password is only used for Telnet if you do not configure Telnet user authentication the aaa authentication telnet console command.
For initial ASASM access, you must use the service-module session command, until you set a login password. We modified the following command: passwd.
The X9. Support for SHA image integrity checking was added. We modified the following command: verify. There is no configuration required on the ASASM for this feature; see the switch configuration guide for more information. The cpu profile activate command now supports the following:.
You can now configure DHCP relay servers per-interface, so requests that enter a given interface are relayed only to servers specified for that interface.
We introduced or modified the following commands: dhcprelay server interface config mode , clear configure dhcprelay , show running-config dhcprelay. You can now preserve Option 82 and forward the packet by identifying an interface as a trusted interface. We introduced or modified the following commands: dhcprelay information trusted , dhcprelay informarion trust-all , show running-config dhcprelay. The ASA X now supports additional interfaces on network modules in slot 1.
You can install one or two of the following optional network modules:. For demonstration purposes only, you can enable monitor-only mode for the service policy, which forwards a copy of traffic to the ASA CX module, while the original traffic remains unaffected. Another option for demonstration purposes is to configure a traffic-forwarding interface instead of a service policy in monitor-only mode.
Support for NetFlow flow-update events and an expanded set of NetFlow templates. Two new fields were added for IPv6 translation support. Decreased the half-closed timeout minimum value to 30 seconds. The half-closed timeout minimum value for both the global timeout and connection timeout was lowered from 5 minutes to 30 seconds to provide better DoS protection.
We modified the following commands: set connection timeout half-closed , timeout half-closed. We modified the following command: crypto ikev1 limit. The IKE v2 Nonce size has been increased to 64 bytes. Higher strength algorithms will be downgraded to the IKE level. This new algorithm is enabled by default. We recommend that you do not disable this feature. We introduced the following command: crypto ipsec ikev2 sa-strength-enforcement.
For Site-to-Site, IPsec data-based rekeying can be disabled. We modified the following command: crypto ipsec security-association. This release adds support for Windows 8 x86 bit and Windows 8 x64 bit operating systems.
CSD 3. Flow-update events have been introduced to provide periodic byte counters for flow traffic. You can change the time interval at which flow-update events are sent to the NetFlow collector.
You can filter to which collectors flow-update records will be sent. We introduced or modified the following commands: flow-export active refresh-interval , flow-export event-type. Table 7 lists the new features for ASA Version 9. We modified the following commands: session cxsc , show module cxsc , sw-module cxsc. See the following table for the upgrade path for your version. Some versions require an interim upgrade before you can upgrade to the latest version. For detailed steps about upgrading, see the 9.
The open and resolved bugs for this release are accessible through the Cisco Bug Search Tool. This web-based tool provides you with access to the Cisco bug tracking system, which maintains information about bugs and vulnerabilities in this product and other Cisco hardware and software products.
Note: You must have a Cisco. If you do not have one, you can register for an account. If you do not have a Cisco support contract, you can only look up bugs by ID; you cannot run searches.
If you have a Cisco support contract, use the following dynamic search for open bugs for Version 9. The following table lists select open bugs at the time of this Release Note publication.
ASA behavior is not consistant when configuring traffic forwarding to CX. LU Updates during config sync in a clustered environment cause traceback. ASA will traceback if anyconnect configuration is deleted. Client lease not renewed and expired, entry not purged in secondary unit. TFW Dropping fragmented V6 mcast traffic with 3 intf in a bridge group. Flipping FO unit will create stale dhcp lease entries on Fo units.
FW Perf tests will have degradation after first reboot test run. L2 cluster slave unit exiting cluster while sending multicast traffic. Personal bookmarks get overwritten after failover and addtion. ASA-SM device is getting disconnected after confguring ip for vlan. XenDesktop 7. Unable to observe any DHCP lease information using the show command.
High cpu on cluster units due to looping of UDP packets. Traceback in Thread Name: ssh when using capture or continuous ping. ASA 9. ASA: Neighbor command not being removed on clearing interface config. WebVPN login page stopped displaying ASA - Peak Concurrent sessions more than available addresses in pool.
If you have a Cisco support contract, use the following search for resolved bugs:. The following table lists select resolved bugs at the time of this Release Note publication. Can get around dynamic-filter by using caps in domain name.
Authentication is successful, but http browser with error msg displayed. URLF: Websense v4 message length calculation is incorrect by 2 bytes. A traceback may happen while processing crypto commands.
Traceback and reload triggered by failover configuration. ASA 8. RRI static routing changes not updated in routing table. ASA Threat detection adds Shun entry for attacker based on routing table. Transactional ACL commit will bypass security policy during compilation. ASA teardown connection after receiving same direction fins. Share licenses are not activated on failover pair after power cycle. WebVPN Rewriter: "parse" method returns curly brace instead of semicolon.
Failover assembly remained in active-active state permanantly. ASA redirection to Scansafe tower fails with log id "" in syslog. Cert Auth fails with 'max simultaneous-login restriction' error. Auth-prompt configured in one context appears in another context. Webvpn rewrite issues for Confluence - by atlassian on latest v6.
Clientless webvpn on ASA does not display asmx files. ASA permanent base license, temp secplus, failover, vlan count issue. Unable to authenticate with remove aaa-server from different context. ASA cluster-Incorrect "current conns" counter in service-policy. ASA may tracebeck when displaying packet capture with trace option. FO: ASAv crashed while syncing during upgrade from 9.
Standby traceback during config replication with customization export. PCP SSL sessions stop processing -"Unable to create session directory" error. ASA coredumped after enable,disable webvpn on interface. AnyConnect sessions fail due to IPv6 address assignment failure. ASA traceback in thread name snmp after upgrade to 9. The following table lists the resolved bugs at the time of this Release Note publication.
ASA cut-through proxy limiting authentication attempts from user. When ACL optimization is enabled, wrong rules get deleted. ASA: Crash when out of stack memory with call-home configured.
ASA traceback when retrieving idfw topn user from slave. ASA may traceback when "write standby" command is entered twice. ASA: 'no monitor-interface service-module' command gone after reload. SCP copy operations exposes sensitive information in syslogs. ASA stops decrypting certain L2L traffic after working for some time. Failover Standby unit has higher memory utilization. Aborted AnyConnect Authentications can cause resource leak. IPv6 stateless autoconfiguration fails if managed config flag in RA.
Failed to allocate global ID when adding service-policy. Multicast - ASA doesn't populate mroutes after failover. Arsenal:twice NAT with service type ftp not working. ASA failover standby device reboots due to delays in config replication. ASA: standby traceback during replication of specific privilege command.
Jumbo Frame is not support in the ASA due to wrong bigphys size. ASA - Wrong object-group migration during upgrade from 8. ASA Cluster slave unit loses default route due to sla monitor. ASA traceback Page fault during xlate replication in a failover setup. Traceback when no failover then clear conf all during xlate replication. Traceback when executing "show crypto accelerator load-balance".
ASA has inefficient memory use when cumulative AnyConnect session grows. ASA crashes in stress testing with user-storage enabled. DMA memory leak in byte fragments with nbns-server config.
Table 11 contains select resolved bugs in ASA Version 9. If you are a registered Cisco. A warning message is needed when a new encryption license is applied. WebVpn: javascript parser error while rewriting libmin.
ACL Migration to 8. ASA: Page fault traceback with 'show dynamic-filter dns-snoop detail'. ASA traceback in Thread Name: ssh on modifying service object. ST not injected in mstsc. Webvpn rewriter some links from steal. Removing ports from service object-group does not remove from the ACL.
Traceback after upgrade from pre ASA may drop all traffic with Hierarchical priority queuing. ASA: Page fault traceback after running show asp table socket. ENH: Need to optimize messages printed on upgrade from 8. ASA: Out of order Fin packet leaves connection half closed. ASA should allow out-of-order traffic through normalizer for ScanSafe. ASA failover cluster traceback when replicating the configuration.
0コメント