#StackBounty: #cisco #cisco-asa Monitoring for most recent version of Cisco Adaptive Security Appliance (ASA)

Bounty: 50

How does one automatically check if your Cisco ASA is running the most recent or non-vulnerable version with external monitoring?

With SNMP, you can get the version number of an ASA:

$ snmpget -v2c -c password 1.2.3.4 iso.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco Adaptive Security Appliance Version 9.8(2)"

But I can find nothing (URL/API/CVE database) to compare this with, or to test if that version has known vulnerabilities.

The various Nagios plugins I can find (like check_snmp_checklevel and nm_check_version) also don’t do this. They merely allow verifying against version in a config file.

Pages like these have version info, but parsing that is really unreliable of course.

The Cisco ASA has a ‘check for update’ feature which must have some kind of URL it checks, but we don’t have the cisco.com account. And I don’t know what the URL is, and it’s probably https, so sniffing it doesn’t help.

Edit: it’s even more complicated, because this CVE states that for version 9.8, version 9.8.2.28 is patched. But that patch-level is not visible in SNMP, nor in the GUI under ‘About ASA’…


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.