Finding Cisco IOS XE CVE-2023-20198 With ConfigSources
On October 16, 2023, Cisco published a vulnerability that affects IOS XE machines running the built-in web server:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z This is tracked ashttps://nvd.nist.gov/vuln/detail/CVE-2023-20198 By adding a simple Config Check to an existing Cisco IOS ConfigSource, LogicMonitor can help people quickly identify which resources have the web server enabled. Here is an example: Name: Cisco-CSCwh87343-Check Check type: "Use Groovy Script" Groovy script: /* The built-in string variable 'config' contains the entire contents of the configuration file. The following example will trigger an alert when the configuration file contains the string "blue". if (config.contains("blue")) { return 1; } else { return 0; } */ if (config.contains("ip http")) { return 1; } else { return 0; } Then trigger this type of alert: Warning Description: "Search for presence of Cisco CSCwh87343 vulnerability" Caveats: -This will apply to all devices where the ConfigSource is used, even though all devices may not be affected by the vulnerability -This assumes usage of ConfigSources and specifically the Cisco_iOS ConfigSource Thanks to Todd Ritter for finding this CVE and Creating the ConfigSource
Common ConfigSource Documentation
Hello LogicMonitor community, I wanted to drop this here as it’s been something in the works for a long time. As I am sure many of your are all awareour development team has been working on and has actually released a new set of ConfigSources called “Common Configs”. These have been released into our core repository since late 2021 with support for more manufacturers and more features being added into these LogicModules throughout the last 2 years. The time has come that we have been able to get a support document around these Common Configs released with the requirements for them, optional parameters you can add to help them be successful, and thelist of all currently released modules related to this suite. https://www.logicmonitor.com/support/common-config-monitoring