02-06-2024 12:13 PM
recently I got to compare two vulnerability tools and both were providing different results, to validate it I checked using Cisco software checker and also the Bug ID checker... but it put me in more confused state. can someone guide me on the below query.
1. show version command shows below , should I use "CISCO IOS XE software " or "Cisco IOS software" in the software checker release field.?
Cisco IOS XE Software, Version 03.14.02.S - Standard Support Release Cisco IOS Software, ASR1000 Software (X86_64_LINUX_********), Version 15.5(1)S2, RELEASE SOFTWARE (fc2) Technical Support:
2. Cisco security advisory (CVE-2019-1745, https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190327-xecmd.html) says the above device with version is affected, but if I go into bug-check-id (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj61307) -it shows only 16.9.1, 16.8.2,16.7.1 is affected. -- my question is do we need to follow the security advisory or rely on the bug search tool.?
02-06-2024 01:48 PM
To be honest, CVE-2019-1745 is nothing because this is "old news" -- This vulnerability was published 2019. If the router has not been compromised since then there's really slim chance anyone will notice.
However, the biggest threat is the security vulnerability disclosed back in October 2023 because it is currently being exploited in the wild: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature
If the router can support 17.X.X, then 17.9.5 should be coming out in the next few days.
02-06-2024 02:01 PM
Ok. Appreciate your response. Well the question is when checking for vulnerabilities do we need to use version Cisco IOS XE Software, Version 03.14.02.S or IOS Software, ASR1000 Software , Version 15.5(1)S2. because the advisory says IOS software is not affected but IOS XE is affected. similar to,
==========================================
Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.
====================================
02-06-2024 03:09 PM
@Saravana132 wrote:
because the advisory says IOS software is not affected but IOS XE is affected.
ASR runs on IOS-XE.
Use the command "sh version | include IOS-XE".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide