4

How does one automatically check if your Cisco ASA is running the most recent or non-vulnerable version with external monitoring?

With SNMP, you can get the version number of an ASA:

$ snmpget -v2c -c password 1.2.3.4 iso.3.6.1.2.1.1.1.0
iso.3.6.1.2.1.1.1.0 = STRING: "Cisco Adaptive Security Appliance Version 9.8(2)"

But I can find nothing (URL/API/CVE database) to compare this with, or to test if that version has known vulnerabilities.

The various Nagios plugins I can find (like check_snmp_checklevel and nm_check_version) also don't do this. They merely allow verifying against version in a config file.

Pages like these have version info, but parsing that is really unreliable of course.

The Cisco ASA has a 'check for update' feature which must have some kind of URL it checks, but we don't have the cisco.com account. And I don't know what the URL is, and it's probably https, so sniffing it doesn't help. Having said that, if people know the password protected update URL, I'll gladly take it.

Edit: it's even more complicated, because this CVE states that for version 9.8, version 9.8.2.28 is patched. But that patch-level is not visible in SNMP, nor in the GUI under 'About ASA'...

Halfgaar
  • 8,084
  • 6
  • 45
  • 86
  • If you don't have a Cisco.com account (and therefore access to software upgrades) - where are you getting updated software images from? Does that source have an easier to access list of what's available that you could compare against? – Rob Pearson Jul 15 '18 at 23:19
  • @RobPearson We don't manage the network, but we've been given some access. When the GUI didn't simply provide an option to send an e-mail on available updates, I thought I'd write a general purpose monitoring script. There are other cases that this will serve me. I'll edit the question about the Cisco account and update URL though. – Halfgaar Jul 17 '18 at 07:02
  • thank you for the clarification. I'm still curious on one point - do you have any source for updates? I ask because I'm not sure what good it does you to detect that you're on an older version of the ASA software if you don't have the ability to update in response. – Rob Pearson Jul 17 '18 at 16:01

2 Answers2

0

Looking through that documentation I can see where your problems start.

Try executing this command show version | include image you should see output like the following: System image file is "disk0:/asa982-28-smp-k8.bin"

From what I am seeing in the Cisco Interim Release Notes this will be a direct way to retrieve the release and build information.

In this case

Revision: Version 9.8(2)28 – 04/18/2018 Files: asa982-28-smp-k8.bin

It looks like the version information is embedded in the file name.

Version X.Y(I)J File: asaXYI-J-smp-k8.bin

This is a kludge of course, but you could:

  1. Have Nagios SSH into the ASA
  2. Capture show version | include image
  3. Parse the file name into the version name.
  4. Check the version against some external source.
  5. Return success or fail into nagios.

Update Based on your comment:

You will need something heavy duty if you don't want to parse the webpage already listed for the data. Someone has to correlate vendor patches, vendor security advisories, and CVEs together. This is a non-trival process.

Nessus and OpenVAS have security feeds that attempt to do the linking of these three types of data.

These tools, and others like them, will scan your network, compare versions and configurations against a minimum version or configuration baseline. Create a report with recommendations. And then track your progress over time in addressing these minimum levels.

If you don't want to do all of this you're probably better off parsing the web page and staying on top of CVEs for Cisco ASA.

Joseph Kern
  • 9,899
  • 4
  • 32
  • 56
  • I'd just like to add, this is why security tools like Nessus are used for compliance checks, instead of making a monitoring engine like Nagios do double duty. – Joseph Kern Jul 14 '18 at 14:08
  • It's the "Check the version against some external source" that's the bulk of my question though... What source? – Halfgaar Jul 15 '18 at 18:15
  • Update in the original post. – Joseph Kern Jul 17 '18 at 19:16
  • It just seems so convoluted. I don't need to analyze CVEs, I just want the newest version. All that because there's not a URL like, for example, Firefox `https://aus5.mozilla.org/bla/bla/update.xml`? There must be somewhere, I'd say. – Halfgaar Jul 18 '18 at 07:47
0

Somebody else pointed out to me that the interactive web form requests a URL that obtains JSON data about the version.

It even has a field isSuggested, so that you don't need to know if it's the newest feature release, but just that of your feature branch, you have the suggested version.

It seems a bit like an URL that may change at some point, but it works.

Halfgaar
  • 8,084
  • 6
  • 45
  • 86