Guest

Preview Tool

Cisco Bug: CSCvt88825 - Vulnerabilities with the type "Potentially Vulnerable" are being shown as "Vulnerable"

Last Modified

Jun 02, 2020

Products (1)

  • Cisco Prime Infrastructure

Known Affected Releases

3.7(0.0)

Description (partial)

Symptom:
Using a Prime Infrastructure PSIRT report, there is this vulnerability (for example):

Device Name:  QGRLSPTW-SA01
Product Type: Cisco Catalyst 29xx Stack-able Ethernet Switch
IP Address: x.x.x.x
OS Type: IOS
OS Version: 15.2(2)E3
PSIRT Title: Cisco IOS, IOS XE, and IOS XR Software Link Layer Discovery Protocol Buffer Overflow Vulnerabilities (//tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-lldp)
Vulnerable: Vulnerable
Match Reason: MATCH:OSTYPE, OSVER::MORE:Manual
Caveat: The LLDP feature may be enabled by default on some platforms and versions. Only known reliable method to identify if a device is running LLDP or not is to check "show lldp" output as LLDP is enabled by default in some codes and exhaustive list of codes which have LLDP enabled by default is not available.
CVSS: Base 8.8
CVE: CVE-2018-0167, CVE-2018-0175

Despite being considered "Vulnerable", in the description it's reported: "Only known reliable method to identify if a device is running LLDP or not is to check 'show lldp' output"

Conditions:
Prime Infrastructure version: 3.7

PAS bundle info:
"PSIRT Detailed   PAS bundle date: Jun 12 2019   RBML bundle date: Jun 10 2019"

The PAS output is showing "MISSING:IMAGENAME", so Prime Infrastructure automatically marked the device as a vulnerable.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.