Finding Cisco IOS XE CVE-2023-20198 With ConfigSources
On October 16, 2023, Cisco published a vulnerability that affects IOS XE machines running the built-in web server:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z This is tracked ashttps://nvd.nist.gov/vuln/detail/CVE-2023-20198 By adding a simple Config Check to an existing Cisco IOS ConfigSource, LogicMonitor can help people quickly identify which resources have the web server enabled. Here is an example: Name: Cisco-CSCwh87343-Check Check type: "Use Groovy Script" Groovy script: /* The built-in string variable 'config' contains the entire contents of the configuration file. The following example will trigger an alert when the configuration file contains the string "blue". if (config.contains("blue")) { return 1; } else { return 0; } */ if (config.contains("ip http")) { return 1; } else { return 0; } Then trigger this type of alert: Warning Description: "Search for presence of Cisco CSCwh87343 vulnerability" Caveats: -This will apply to all devices where the ConfigSource is used, even though all devices may not be affected by the vulnerability -This assumes usage of ConfigSources and specifically the Cisco_iOS ConfigSource Thanks to Todd Ritter for finding this CVE and Creating the ConfigSource133Views16likes1CommentRetaining attributes while updating LogicModules
Can I also make a feature request to retain the custom thresholds / attributes (user optional, probably by means of a toggle button to choose between overwrite or leave as is ) while updating LogicModules? I did notice related requests from the past and it seems that it is not yet released. /topic/1282-maintain-thresholdsappliesto-when-updating-during-datasource-updates//topic/1180-import-datasource-from-logic-monitor-repository-improvments/0Views1like6CommentsCustom ConfigSource Issues
I am having to write a custom configsource for Steelhead Riverbeds. There isn't a way to sftp a file off so I am having to write an expect script in groovy. I am trying to cobble together something using the Cisco Generic RunningConfig as a stepping stone, but I just can't get it off the ground. If I run it via the ConfigSources page with Test Script I get this. Quote Failed to execute the script - null java.nio.channels.ClosedByInterruptException at java.nio.channels.spi.AbstractInterruptibleChannel.end(AbstractInterruptibleChannel.java:202) at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:407) at sun.nio.ch.SourceChannelImpl.read(SourceChannelImpl.java:113) If I run it via collector debug and !groovy I get Quote $ !groovy Waiting... This may take up to 10 minutes. Waiting... This may take up to 10 minutes. End of stream reached, no match found java.io.IOException: End of stream reached, no match found at com.santaba.agent.groovyapi.expect.expectj.Spawn._expect2(Spawn.java:595) at com.santaba.agent.groovyapi.expect.expectj.Spawn._expect2(Spawn.java:511) at com.santaba.agent.groovyapi.expect.expectj.Spawn.expect(Spawn.java:647) at com.santaba.agent.groovyapi.expect.expectj.Spawn.expect(Spawn.java:617) at com.santaba.agent.groovyapi.expect.Expect.expect(Expect.java:193) at com.santaba.agent.groovyapi.expect.Expect$expect$1.call(Unknown Source) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:48) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:113) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:125) at Script69.run(Script69.groovy:22) at com.santaba.agent.util.GroovyScriptShell.execute(GroovyScriptShell.java:127) at com.santaba.agent.util.GroovyScriptExecutor.execute(GroovyScriptExecutor.java:119) at com.santaba.agent.debugger.GroovyTask._executeInAgent(GroovyTask.java:186) at com.santaba.agent.debugger.GroovyTask._handle(GroovyTask.java:165) at com.santaba.agent.debugger.DebugTask.run(DebugTask.java:106) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Any help would appreciated. Oh yeah the formatting of the cli. Quote servername > servername > enable servername # show configuration ## ## Other IP configuration ## And what I have so far. import com.santaba.agent.groovyapi.expect.Expect; host = hostProps.get("system.hostname"); user = hostProps.get("config.user"); pass = hostProps.get("config.pass"); // open an ssh connection and wait for the prompt cli=Expect.open(host, user, pass); cli.expect("#"); // ensure the page-by-page view doesn't foul the config output cli.send("terminal length 0\n"); cli.expect("#"); // display the config cli.send("show configuration\n"); cli.expect("##\n") // logout from the device cli.send("exit\n"); cli.expect("#exit"); // collect the output config=cli.before(); // close the ssh connection handle then print the config cli.expectClose(); println config; And now what I have so far1View0likes1Comment