Vulnslist

If an affected device is running a Cisco ASA Software or FTD Software release that supports the ssl server-max-version command, administrators may disable TLS 1.3 as a workaround for this vulnerability.

Note: The ssl server-max-version CLI command is supported as of Cisco ASA Software releases 9.19.1.24 and 9.20.2 and Cisco FTD Software Release 7.4.1.
Disable TLS 1.3 on Cisco ASA Software
To disable TLS 1.3 on Cisco ASA Software, set the minimum and maximum TLS version to TLS 1.2 using the ssl server-version and ssl server-max-version commands, as shown in the following example:

ciscoasa# configure terminal
ciscoasa(config)# ssl server-version tlsv1.2 dtlsv1.2
ciscoasa(config)# ssl server-max-version tlsv1.2

Disable TLS 1.3 on Cisco FTD Software
To disable TLS 1.3 on Cisco FTD Software, set the minimum and maximum TLS version to TLS 1.2 using Cisco FMC Software and a FlexConfig object. For more information about FlexConfig objects, see the FlexConfig Policies for FTD ["https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/flexconfig_policies.html"] chapter of the Firepower Management Center Configuration Guide.

To disable TLS 1.3 on Cisco FTD Software, use the following steps:

Connect to Cisco FMC Software.
From the menu bar, choose Devices > Platform Settings.
Add or edit the Platform Settings Policy that is applied to the affected device.
From the navigation menu on the left, choose SSL.
From the TLS version drop-down menu, choose TLSv1.2.
Click Save.
Choose Objects > Object Management.
From the navigation menu on the left, choose FlexConfig > FlexConfig Object.
Click Add FlexConfig Object.

Enter a name and description (optional) for the object in the appropriate fields.
From the drop-down menus above the main text box, choose Insert, Deployment: Once, and Type: Append.
In the main text box, enter ss server-max-version tlsv1.2.
Note: There is no l at the end of the word ss. This is not a typo. If the word ssl is used, Cisco FMC Software will display a validation error when the changes are saved.
Click Save.
From the menu bar, choose Devices > FlexConfig.
Edit the existing FlexConfig Policy or add a new one. If a new policy is being added, enter a name and description (optional) for the new policy in the appropriate fields, then click Save.
From the User Defined drop-down menu on the left, choose the FlexConfig object that was added in step 9.
Click > to move the object to the Selected Append FlexConfigs pane.
Click Save.
From the menu bar, click Deploy to deploy the changes.
Check the check boxes for devices that are assigned to the policy.
Check the ignore warnings check box.
Note: When deploying a FlexConfig object, a validation warning will prevent the deployment until the ignore warnings check box is checked.
In the dialog box, click Deploy.

While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.