PSIRT analysis differs between that on SNTC portal to any downloaded report

graham.kirtley · ‎09-05-2017

Hi,

I have a rather worrying situation where the analysis presented via the SNTC portal differs significantly to that contained with any report generated and downloaded.

Specifically this relates to PSIRT alerts. What differs is the number of devices (chassis) and the vulnerability status.

For an example taking the following alert description "Vulnerabilities in Cisco IOS Secure Shell Server"

Within SNTC under Alerts - All PSIRTs, I see that for one of my inventories 4 devices are listed as being 'vulnerable', but when I look at a Product Alerts Report (spreadsheet) the same devices are listed as being 'potentially vulnerable". Which is correct?

As another example alert description "Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability (CVE-2015-0646)" shows that via SNTC 484 are 'vulnerable', whereas within the downloaded spreadsheet, 160 devices are reported, 17 as being 'potentially vulnerable' and 143 as 'vulnerable'. Again which information source is correct, if indeed any are?

Regards,

Graham

Jarrett Pomeroy · ‎09-05-2017

Hello Graham,

Currently the SNTC Portal displays a potentially vulnerable and vulnerable device as vulnerable on the online PSIRT reports. You can reference the offline alerts report to get more granular results and verify if a device is reflecting only as potentially vulnerable. A potentially vulnerable device means that the SNTC Portal was not able to completely validate the alert based on the collected device details, and it may require a manual validation.

Thank you,
Jarrett

Cheri Fairbrother · ‎09-07-2017

Hi Graham,

Please let us know if you have further questions. If there is nothing further, please mark this as solved.

Thanks!
Cheri

graham.kirtley · ‎09-08-2017

Hi,

Thanks for the replies, but I'm not entirely happy with the explanation.

Given that the explicit status of each device, WRT any specific PSIRT alert being either vulnerable or potentially vulnerable, is known (since this is provided in the report), I fail to see why this distinction is not shown within the portal view?

Furthermore there is no explanation as to why the summary counts differ between the portal view and the downloaded report?

Rgds,

Graham

Chris Camplejohn · ‎09-08-2017

You're right Graham. CSCvd67358 was filed to address this. It will be fixed in a future release. Stay tuned.

graham.kirtley · ‎09-08-2017

Hi Chris,

Thanks for the update and I'm pleased to see a case opened to resolve it.

Will this bug case also address the significant differences in the counts (of effected devices)?

In the interim which counts do we use, the counts shown via the portal or those reported within a download spreadsheet?

Rgds,

Graham

Chris Camplejohn · ‎09-08-2017

Can you send me a private message in the forum letting me know which customer name and inventory you are using? I'd like to take a quick look at the data to see the discrepancy.

Chris Camplejohn · ‎09-14-2017

Thanks for the info you sent me. It helped me to visualize same as you were seeing. There isn't a count mismatch. There is a title/description mismatch that makes it appear that way to you. This is CSCvd87947. If you summarize in the excel by Alert ID instead, you'll see the counts match.