agradmin
asked on
Cisco ASA VPN PCI failure due to weak SSL encryption - part 2
We continue to fail a PCI scan on our Cisco ASA firewall due to cipher vulnerabilities as following (Note - all on UDP port 500, TLS minimum set to TLS1.1);
- Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device.
- Weak Diffie-Hellman groups identified on VPN Device. Use Diffie-Hellman Key Exchange Group 5 or higher where possible, or the highest available to the VPN endpoints.
We use the Cisco Anyconnect client for connections, with all clients accessing AES256
After setting the firewall DH group level to 5 and Cipher security level to MEDIUM (no DES/3DES support) I am still seeing PCI failures due to DES/3DES and a DH group level of 2.
Can anyone explain this (and how to resolve)? Does the ASA require a reload to use the new settings?
Following is the cipher information from the firewall;
asa1234x# sh ssl cipher
Current cipher configuration:
default (custom): AES256-SHA:AES128-SHA
AES256-SHA
AES128-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
asa1234x#
- Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device.
- Weak Diffie-Hellman groups identified on VPN Device. Use Diffie-Hellman Key Exchange Group 5 or higher where possible, or the highest available to the VPN endpoints.
We use the Cisco Anyconnect client for connections, with all clients accessing AES256
After setting the firewall DH group level to 5 and Cipher security level to MEDIUM (no DES/3DES support) I am still seeing PCI failures due to DES/3DES and a DH group level of 2.
Can anyone explain this (and how to resolve)? Does the ASA require a reload to use the new settings?
Following is the cipher information from the firewall;
asa1234x# sh ssl cipher
Current cipher configuration:
default (custom): AES256-SHA:AES128-SHA
AES256-SHA
AES128-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (medium):
DHE-RSA-AES256-SHA256
AES256-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
asa1234x#
ASKER
I agree and am aware TLS 1.2 would be preferred but am concerned about the client side.
Did you update all Cisco software? Apparently Cisco had some problems a while back. Described here below. I don't pretend to know or understand all this, but thought it worth mentioning to see if you think it is relevant.
CVE-2014-3393: Security Appliance Turned Security Risk
From this link.
https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
CVE-2014-3393: Security Appliance Turned Security Risk
A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated, remote attacker to modify the content of the Clientless SSL VPN portal, which could lead to several attacks including the stealing of credentials, cross-site scripting (XSS), and other types of web attacks on the client using the affected system.
The vulnerability is due to a improper implementation of authentication checks in the Clientless SSL VPN portal customization framework. An attacker could exploit this vulnerability by modifying some of the customization objects in the RAMFS cache file system. An exploit could allow the attacker to bypass Clientless SSL VPN authentication and modify the portal content.
From this link.
https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
Only anyconnect 4.x support TLS 1.2 and ASA 9.3(2).
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/release/notes/b_Release_Notes_AnyConnect_4_0.html#reference_467195CDD71947948872259D1DB91158
New Features in AnyConnect 4.0.00048
AnyConnect now supports TLS version 1.2 with the following additional cipher suites:
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
AES256-SHA256
AES128-SHA256
Note - AnyConnect TLS 1.2 requires a secure gateway that also supports TLS 1.2. This is available in release 9.3(2) of the ASA on 5500-X models.
http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect40/release/notes/b_Release_Notes_AnyConnect_4_0.html#reference_467195CDD71947948872259D1DB91158
If you are seeing these on ports 500 then thats ISAKMP my friend, this means you have an IKEv1 or IKEve Policy that using these settings - and that's typically (not always) for IPSEc VPN not AnyConnect.
Issue a 'show run crypto' press space bar lot to page down, there at the bottom are you IKE policies, I bet one of them matches whatever the scan is moaning about.
run show run cry isa, and make sure you don't have any IKE/IPSEC tunnels up before you remove them.
:)
Pete
Issue a 'show run crypto' press space bar lot to page down, there at the bottom are you IKE policies, I bet one of them matches whatever the scan is moaning about.
run show run cry isa, and make sure you don't have any IKE/IPSEC tunnels up before you remove them.
:)
Pete
ASKER
Thanks Pete, once again you have hit the nail on the head. These are likely remnants of our legacy iPSec VPN's. We use Anyconnect exclusively at this point, how would you suggest we proceed?
Here's the result of the h run cry isa;
sh run cry isa
crypto isakmp nat-traversal 3600
Here's the result of the h run cry isa;
sh run cry isa
crypto isakmp nat-traversal 3600
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Pete, version is 9.8 as following so we should be good to go;
Cisco Adaptive Security Appliance Software Version 9.8(2)24
Here's the result of the command; let me know if your thoughts still hold true.
sh cry isa
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 1913224
In Packets: 3581
In Drop Packets: 2326
In Notifys: 6
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 860524
Out Packets: 4473
Out Drop Packets: 0
Out Notifys: 3237
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 3567
System Capacity Fails: 0
Auth Fails: 1060
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 8
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 150
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 15
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 1696
In Packets: 4
In Drop Packets: 4
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 1500
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
-------------------------- ------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
Cisco Adaptive Security Appliance Software Version 9.8(2)24
Here's the result of the command; let me know if your thoughts still hold true.
sh cry isa
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 1913224
In Packets: 3581
In Drop Packets: 2326
In Notifys: 6
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 860524
Out Packets: 4473
Out Drop Packets: 0
Out Notifys: 3237
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 3567
System Capacity Fails: 0
Auth Fails: 1060
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 8
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 150
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 15
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 1696
In Packets: 4
In Drop Packets: 4
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 1500
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
--------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
Heres your clue :)
There are no IKEv1 SAs
There are no IKEv2 SAs
Good to go!!
There are no IKEv1 SAs
There are no IKEv2 SAs
Good to go!!
ASKER
Thanks Pete, that's what I thought/hoped, I'll move ahead.
No bother!
ASKER
Good news - Pete has come through yet again! I re-ran a scan after disabling IKE as suggested and it now comes back clean.
Thanks Pete!
Thanks Pete!
ASKER
Thanks to all for their expert input.
https://www.google.com.sg/amp/s/glazenbakje.wordpress.com/2015/11/17/cisco-asa-disable-ssl-3-0-settings-and-change-it-to-tls-v1-2/amp/