Symptom
The Cisco ASA (Adaptive Security Appliance) includes a version of OpenSSL that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:
CVE-2014-3566
Conditions
The default SSL configuration on all ASA software trains enables SSLv3. Due to bug CSCug51375, the ASA is unable to disable SSLv3 on most ASA versions.
To see the SSL configuration:
show run all ssl
Default configuration of the ASA:
ssl client-version any
ssl server-version any
The following non-default configuration values also enable SSLv3:
ssl client-version sslv3-only
ssl client-version sslv3
ssl server-version sslv3-only
ssl server-version sslv3
Some of the previously listed options are not available on older ASA software releases.
Workaround
There are no workarounds.
Further Problem Description
This bug is for SSL server-side and is fixed in the following (and later) posted ASA releases:
9.3.1.1
9.2.3
9.1.5.21
9.0.4.26
8.4.7.26
8.2.5.55
It will also be available in the April/2015 timeframe on the following ASA software releases:
8.3.2.43
8.5.1.23
8.6.1.16
8.7.1.15
For the client-side (Clientless Smart Tunnel Component), please check CSCur42776.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 2 score. The Base and Temporal CVSS scores as of the time of evaluation are: 2.6/2.5
https://intellishield.cisco.com/security/alertmanager/cvssCalculator.do?dispatch=1&version=2&vector=AV:N/AC:H/Au:N/C:P/I:N/A:N/E:F/RL:U/RC:C
The Cisco PSIRT has assigned this score based on information obtained from multiple sources. This includes the CVSS score assigned by the third-party vendor when available. The CVSS score assigned may not reflect the actual impact on the Cisco Product.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html
