A new tool called the Cisco IOS Software Checker is now available on the Cisco Security Intelligence Operations (SIO) portal. This tool introduces a feature that has been long-requested from our customers and will make Cisco product security information much easier to consume and digest.
Security Advisories that are published by the Cisco Product Security Incident Response Team (PSIRT) provide detailed information about security vulnerabilities in Cisco products, including mitigations, affected products and vulnerable and fixed versions of software. Security Advisories affecting Cisco IOS include a table that provides a list of affected Cisco IOS release trains and fixed versions for those trains. Our customers have long asked us for ways to simplify identification of affected software in this table, and so we have developed the Cisco IOS Software Checker for this very purpose. This tool leverages our internal databases to easily provide affected software information without requiring you to manually process the fixed software table.
As an example, let’s look at the following snippet from a Security Advisory published in September 2010.
This example shows the row for a single release train. Security Advisories can contain more than 300 of these. Now let’s say we would like to check whether 12.4(20)T5 is affected by vulnerabilities addressed in this particular Security Advisory. Since we are dealing with 12.4(20)T5, we should look at the second line in the second column, which lists 12.4(20)T6 as a first fixed release. Since 12.4(20)T5 is an older release than this first fixed release, we should conclude that 12.4(20)T5 is indeed vulnerable.
Now let’s try the same thing in the Cisco IOS Software Checker by entering our version and choosing the Security Advisory that we are interested in. The following screen capture shows the results (and here is a direct link to this results page on the SIO portal).
The tool immediately tells you that the release is vulnerable to this particular Security Advisory. It’s that simple!
The Cisco IOS Software Checker also has the following capabilities:
- Allows users to enter multiple versions of Cisco IOS Software to determine which Security Advisories affect those versions.
- Allows users to determine vulnerability by pasting one or more ‘show version’ command outputs or uploading a .txt file that includes a list of Cisco IOS Software versions.
- Allows users to search against specific or all previously published Security Advisories, or only Security Advisories that are included in the most recent Cisco IOS Security Advisory Bundle.
It is important to note that the Cisco IOS Software Checker is intended solely for querying Cisco IOS Software versions, and is meant to augment, not replace, the Fixed Software tables in Security Advisories. It also does not account for enabled or disabled features. Customers must still read the entire Security Advisory in order to understand whether they are truly affected.
We hope you’ll find this tool to be a nice addition to our current process and that it will increase your efficiency while processing Cisco Security Advisories.