I run a PCI scan in my Fireall and I got this vulnerabilities
- OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
THREAT: Netscape's SSLv3 implementation had a bug where if a SSLv3 connection is initially established, the first available cipher is used. If a session is
resumed, a different cipher may be chosen if it appears in the passed cipher list before the session's current cipher. This bug can be used to change
ciphers on the server.
OpenSSL contains this bug if the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option is enabled during runtime. This option was
introduced for compatibility reasons.
The problem arises when different applications using OpenSSL's libssl library enable all compatibility options including
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG, thus enabling the bug.
A malicious legitimate client can enforce a ciphersuite not supported by the server to be used for a session between the client and the server. This
can result in disclosure of sensitive information.
This bug appears to be fixed in OpenSSL 0.9.8j and later. Refer to Changes between 0.9.8i and 0.9.8j at OpenSSL Changelog to obtain additional
details. The latest version of OpenSSL is available for download at OpenSSL Download Page.
This problem can be fixed by disabling the SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG option from the options list of OpenSSL's libssl
library. This can be done by replacing the SSL_OP_ALL definition in the openssl/ssl.h file with the following line:
how can I solve this.
I think you need to disable https (webvpn and asdm) on any untrusted interface or upgrade. Should be fixed in 8.4(2) or 8.2(5). I wouldn't upgrade to 8.4(2) unless you are already in 8.4 or if you are aware of its significant syntax changes.
Cisco recommends a 1 Gig. My ASA5505 runs okay on 256MB in a lab only environment. It does warn you that it isn't enough. I would use 8.2.5 if you are less than 8.3 today. Wait until you can plan for it and get the memory to go to 8.4. It is a different beast if you use the command line. In my opinion, it's actually worth purchasing an ASA5505 (10 user edition) just to lab with.