05-02-2024 08:41 AM
Regarding vulnerabilities raised in cisco alerts - along with the version effected it also mention specific configurations attributes will also need to be set. As an example if the following configuration "ip http server" is present on one of our 400 cisco devices it will be class vulnerable. Will Cisco DNA/Catalyst have the ability to check for this configuration on our cisco devices. My manager quoted https://help.ubuntu.com/community/RANCID as an example of what he is looking for.
Solved! Go to Solution.
05-02-2024 09:03 AM
The most automated way to help you going forward is to sign up for CX Cloud and integrate it with Catalyst Center. That will enhance your Security Advisory tool in Cat Center to include device configurations when it matches a published vulnerability.
You can also manually specify the regex to match against a device configuration to an advisory with the "Add Match Pattern" link in the Custom Match Pattern column of the Advisories tab of the Security Advisories tool.
Lastly, It sounds like your specific question is in relation to CVE-2023-20198. For that specific vulnerability, the Catalyst Center engineering team created a special workflow under Tools->Network Reasoner that can check for vulnerable devices even without the above steps performed.
05-02-2024 09:03 AM
The most automated way to help you going forward is to sign up for CX Cloud and integrate it with Catalyst Center. That will enhance your Security Advisory tool in Cat Center to include device configurations when it matches a published vulnerability.
You can also manually specify the regex to match against a device configuration to an advisory with the "Add Match Pattern" link in the Custom Match Pattern column of the Advisories tab of the Security Advisories tool.
Lastly, It sounds like your specific question is in relation to CVE-2023-20198. For that specific vulnerability, the Catalyst Center engineering team created a special workflow under Tools->Network Reasoner that can check for vulnerable devices even without the above steps performed.
05-02-2024 09:06 AM
Very good of you for your quick reply Preston. Which path is the most efficient ?
05-02-2024 09:21 AM
@desmond.cassidy It depends on what you want to achieve. Try both of the last two.
05-02-2024 09:06 AM
You can do compliance check or run command runner to check that config on the device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide