Re: System Diagnostics not reflecting current vulnerabilities.

grambo1980 · ‎10-26-2021

Hi, i ran a system diagnostic on a few devices and the vulnerabilities that came up did not align with what i found on on the Cisco Security Cisco Software Checker. Then to complicate things even more the bug lookup tool only is showing IOS-XE data. So now i don't know what to believe if my device is vulnerable or not.

jofrumki · ‎10-27-2021

Hello @grambo1980

The data shared through the CLI Analyzer is determined by your device configuration rather than just a generic SW version or device PID. The system diagnostics should be the most current data regarding your device.

Thank you

grambo1980 · ‎10-27-2021

Hi, i agree it /should/ be. But the results i'm seeing look unreliable.

Take the DHCP one for example. Bug CSCuw77959 & CSCsm45390. This is a security bulletin from 2017. In the CSCsm45390 bug details you see that it is fix in 15.5(1)SY1. We are running SY4.

Then the second output cscvy28508 || Enable speed command for 1G SFP on C9400. This is a 6880, why is it identifying a bug that affects a cat9k?

Then it doesn't detail the arp exhaustion issue, which is pretty light on technical details to be honest. But that sounds like it's a pretty basic feature set.

On top of the bug tool only reporting IOS-XE data for almost 95% of the bugs i've looked at. So yes, it should be the most reliable, but i'm questioning it's accuracy as it does not look right.