[c-nsp] Cisco Security Advisory: Cisco IOS Software RSVP Vulnerability

Peter Rathlev peter at rathlev.dk
Thu Sep 25 05:35:01 EDT 2014 

On Wed, 2014-09-24 at 15:12 -0400, Dario Ciccarone wrote:
> Actually, we think that may be because you're using option "a" - typing
> in an IOS release, or selecting from the list. You can instead use
> option "b" (and paste the output of multiple "show version" commands) or
> option "c" (and provide a list of IOS releases). Try option "c" and see
> if you like it.

Well... we currently have over 100 different IOS versions running on
2400 different Catalyst switches. Many of these are generally the same
family, e.g. 12.2(55)SE1, SE4 and SE5. With a list that say "12.2SE: Not
vulnerable" then I could conclude that 73 different IOS versions on 1500
devices were not vulnerable to this advisory.

Option "c" is a little better than option "a". But it can only take 50
different IOS releases in one go. And the (Javascript heavy) interface
then takes me to a page where I have to click each release separately to
see if it's vulnerable. The "Show CSV" only shows me the currently
selected release.

All in all it takes me a lot longer to actually find out what vulnerable
releases we have. And I know that there are many "smart" ways to stay
current on vulnerable images in production; our partner have talked
about some "C-Collector" service that would compare running images to
advisories and send us mails or something like it. But it's a lot more
complicated than just looking at a list.
 
> Additionally, the "static" IOS tables on previous advisories were that -
> a static snapshot at publication time. While the IOS Software checker
> data comes from a database that is updated in real time, based on new
> fixes availability, new IOS releases, etc.

IOS Software Checker is a nice tool, do keep it. But for the "helicopter
view" the comprehensive list is a really great help. And it's no problem
that the list is a snapshot at publication time. The fast response to a
serious vulnerability is the hours or days immediately after the
advisory has been posted.

With the kindest regards!

-- 
Peter

More information about the cisco-nsp mailing list