Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
0
Helpful
3
Replies

Cisco IOS XE ASR 1000 vulnerability and affected versions

Saravana132
Level 1
Level 1

‎02-06-2024 12:13 PM

recently I got to compare two vulnerability tools and both were providing different results, to validate it I checked using Cisco software checker and also the Bug ID checker... but it put me in more confused state. can someone guide me on the below query.

1. show version command shows below , should I use "CISCO IOS XE software " or "Cisco IOS software" in the software checker release field.?

Cisco IOS XE Software, Version 03.14.02.S - Standard Support Release Cisco IOS Software, ASR1000 Software (X86_64_LINUX_********), Version 15.5(1)S2, RELEASE SOFTWARE (fc2) Technical Support:

2. Cisco security advisory (CVE-2019-1745,  https://www.cisco.com/c/en/us/support/docs/csa/cisco-sa-20190327-xecmd.html) says the above device with version is affected, but if I go into bug-check-id (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvj61307) -it shows only 16.9.1, 16.8.2,16.7.1 is affected. -- my question is do we need to follow the security advisory or rely on the bug search tool.? 

Labels:
0 Helpful
3 Replies 3

Leo Laohoo
Hall of Fame
Hall of Fame

‎02-06-2024 01:48 PM

To be honest, CVE-2019-1745 is nothing because this is "old news" -- This vulnerability was published 2019.  If the router has not been compromised since then there's really slim chance anyone will notice.  

However, the biggest threat is the security vulnerability disclosed back in October 2023 because it is currently being exploited in the wild:  Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature

If the router can support 17.X.X, then 17.9.5 should be coming out in the next few days.  

0 Helpful

Saravana132
Level 1
Level 1
In response to Leo Laohoo

‎02-06-2024 02:01 PM

Ok. Appreciate your response. Well the question is when checking for vulnerabilities do we need to use version Cisco IOS XE Software, Version 03.14.02.S or IOS Software, ASR1000 Software , Version 15.5(1)S2. because the advisory says IOS software is not affected but IOS XE is affected. similar to, 

==========================================

Products Confirmed Not Vulnerable

Cisco has confirmed that this vulnerability does not affect Cisco IOS Software, Cisco IOS XR Software, or Cisco NX-OS Software.

====================================

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Saravana132

‎02-06-2024 03:09 PM

@Saravana132 wrote:
because the advisory says IOS software is not affected but IOS XE is affected.

ASR runs on IOS-XE. 

Use the command "sh version | include IOS-XE".

 

0 Helpful
Customers Also Viewed These Support Documents