How does one automatically check if your Cisco ASA is running the most recent or non-vulnerable version with external monitoring?
With SNMP, you can get the version number of an ASA:
$ snmpget -v2c -c password 184.108.40.206 iso.220.127.116.11.18.104.22.168 iso.22.214.171.124.126.96.36.199 = STRING: "Cisco Adaptive Security Appliance Version 9.8(2)"
But I can find nothing (URL/API/CVE database) to compare this with, or to test if that version has known vulnerabilities.
Pages like these have version info, but parsing that is really unreliable of course.
The Cisco ASA has a ‘check for update’ feature which must have some kind of URL it checks, but we don’t have the cisco.com account. And I don’t know what the URL is, and it’s probably https, so sniffing it doesn’t help.
Edit: it’s even more complicated, because this CVE states that for version 9.8, version 188.8.131.52 is patched. But that patch-level is not visible in SNMP, nor in the GUI under ‘About ASA’…