Cisco Secure Firewall Management Center Detection

#TRUSTED 0794cfb83672c2469b539668739bae4912f76494a4aaceeb87fe2b2725e9c029ddf40a06e9f5367bb249f2538f3a5b6d9f1adc14460fa8ff663953f22e2e51c02e4d7e595a0f571f8a3bebfc672bdea30e85b161d06b5d92191dc388c14bc6ac7dc8d2a641a91f0a7186d832910f2ee9f980fff8c5195c156ca92a79c8b67b3f6d7230a0199f5f5c934d51023ef0da037cd611feffd7b87712b9cb2d861278e7ba2fd9308c992607f8475e31bd221cd89c8e9174a08f57214d362ef7c3a4aa759ed52586864681a2251f1042aaa6b1166d878f4b7d4771fba4196ca0f53956f13df7debff08d2ce65d053cd3af4347fa85295277a615f9804245c4eb293737374f695977ae673cf17c1579ae2185cbed8e73786be4d94bf35120116ee0620f22614ccd0d28f864b5678614ac4f0d86567b26d85a8c2c30548b82c656442c9153d2711fe21a174294d8fcb54b55b2d051c5fde529bf4efce7ad96185bbfc72e6e8a0ae8365d0f6e6cdeaf4eaf946c1f377d35a39d0065a1d655bb03b6c5a9a92cec0cc2075995a689a12e8bf86cd28a6d80e79b31f69321637fb21aec25b8e12b17a58482d6b8323e5bdbcdfe66a33993412f5e6e83a921ebf0c89ce96b59765f2dc9385a1318e6f800e2eb6d244c4e4ccf236918353cbc47affad06b8bdf4b9fcbdf0eff08aef067c8f2793238e0645fa3fc42a8f717f31595da5f0c27740844
#TRUST-RSA-SHA256 812e1bbc589e3aa89b2a3279e3bda5f7ebd44045195da2474f831a8dedf446068204c919195e2f400bed5af3362c80b3d0eaa29ca6dc5b9abd286b1682291bbc9c328a1a97a20f599a8f7b648db37458219239bffaa2d63e374f3dafef90f66caec229081fef7ae4fff238ef48c6e793dd75f641fe7dfef8c97ca98c80c21d0f6ee6ed55121e3678747f3570362e30cfb311a64b0f09c387ac373c7ad293068e23ebb2e0f4073bbcb7b6cae6c90befb7da79c8df1fecba81b6a4a0966a9207db65bda797e57f862f639a2eb92bb50973f37188d509d89a8d173e5f8e74a645dcf28170a0c0c46632ac78642ec05d46e48ba402077495ddf30923a2954d55575e1cf1c7d2e10ae325c8e2942f7ec7e99887a64b63e7046d1cc7d630b00416e99268d94bc581df2aecadf79e7b2465c47d8fef0eafa258d0d42ec3b781c5bfad714a79f84333cf507f192049589c091d1de80e496e4e80ff69c46c146a2a865d3bc33df6a4c7d839024ab5d37d2b80e3fd054178b657a9a26f82539e93ee3d36d5fc56a5124539c91a8b6717b16b78db173ca9f19f2e48f87529e3e4971d93b98fbdb4120d55de78279adece963e1d129dcd12a08923280a46068ac731a63f8cf6d9a0d3599221be4b114252ddd6b8905be2a1b38b8c513ea276856a6d2f0eb983793bd3a35a23c4706d15438a142efcc381856077db91bd8635b7dafbb477c6be
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(94470);
  script_version("1.40");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/15");

  script_xref(name:"IAVT", value:"0001-T-0550");

  script_name(english:"Cisco Secure Firewall Management Center Detection");
  script_summary(english:"Obtain the version of the remote Cisco Firepower System.");

  script_set_attribute(attribute:"synopsis", value:
"Cisco Secure Firewall Management Center is running on the remote host.");
  script_set_attribute(attribute:"description", value:
"Cisco Secure Firewall Management Center is running on the remote 
host. Cisco Secure Firewall Management Center is a comprehensive 
management platform for managing firewalls, application control, 
intrusion prevention, URL filtering, and advanced malware protection.

It was possible to obtain version information for the Cisco Secure 
Firewall Management Center using SSH.");
  #https://www.cisco.com/c/en/us/products/security/firepower-management-center/index.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2b72c506");
  #https://www.cisco.com/c/en/us/td/docs/security/firepower/roadmap/firepower-roadmap.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef16908d");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor",value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/02");

  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:cisco:secure_firewall_management_center");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"CISCO");

  script_copyright(english:"This script is Copyright (C) 2004-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_ports("Services/ssh", 22);
  script_require_keys("Host/uname");

  exit(0);
}

include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('ssh_func.inc');
include('hostlevel_funcs.inc');
include('install_func.inc');
include('spad_log_func.inc');

enable_ssh_wrappers();

function report_and_exit(ver, build, source, vdb_ver, vdb_build, patches_ssh, interrupt_msg)
{
  local_var report, jank_ver;

  jank_ver = ver;
  if (!isnull(build))
    jank_ver += '-' + build;
  replace_kb_item(name:'Host/Cisco/firepower/Version', value:jank_ver);
  replace_kb_item(name:'Host/Cisco/firepower', value:TRUE);

  replace_kb_item(name:'Host/Cisco/firepower_mc', value:TRUE);
  replace_kb_item(name:'Host/Cisco/firepower_mc/version', value:ver);
  replace_kb_item(name:'Host/Cisco/firepower_mc/build', value:build);
  replace_kb_item(name:'Host/Cisco/firepower_mc/cpe', value:'cpe:/a:cisco:secure_firewall_management_center');
  
  report =
    '\n  Source  : ' + source +
    '\n  Version : ' + jank_ver;

  if (!isnull(vdb_ver))
  {
    replace_kb_item(name:'Host/Cisco/firepower_mc/vdb_version', value:vdb_ver);
    report = report + '\n  VDB Version : ' + vdb_ver;
  }

  if (!isnull(vdb_build))
  {
    replace_kb_item(name:'Host/Cisco/firepower_mc/vdb_build', value:vdb_build);
    report = report + '\n  VDB Build   : ' + vdb_build;
  }

  if (!empty_or_null(patches_ssh))
  {
    replace_kb_item(name:'Host/Cisco/firepower_mc/patch_history', value:patches_ssh);
    report = report + '\n  Patch History   :\n' + patches_ssh;
  }

  if (!empty_or_null(interrupt_msg))
    report = report + interrupt_msg;

  report += '\n';

  security_report_v4(port:0, extra:report, severity:SECURITY_NOTE);

  exit(0);
}

var uname = get_kb_item_or_exit('Host/uname');

# Examples:
#  Linux firepower 3.10.53sf.virtual-26 #1 SMP Mon Feb 22 20:47:53 UTC 2016 x86_64 GNU/Linux
#  Linux am1opd1fp 3.10.45sf.westmere-17 #1 SMP Fri Oct 30 14:59:18 UTC 2015 x86_64 GNU/Linux
#  Linux firepower 3.10.53sf.virtual-53 #1 SMP Wed Nov 23 14:50:49 UTC 2016 x86_64 GNU/Linux
#  Linux Lab-asa5506 3.10.62-ltsi-WR6.0.0.29_standard #1 SMP Thu Nov 9 06:32:13 PST 2017 x86_64 x86_64 x86_64 GNU/Linux
#  Linux fpr-2100.lab.tenablesecurity.com 4.1.21-WR8.0.0.25_standard #1 SMP Tue Apr 16 12:21:06 PDT 2019 x86_64 x86_64 x86_64 GNU/Linux

##
#  If the 'uname' response does not contain 'Linux', this is probably not Cisco Firepower
#  Look for other Cisco/Sourcefire indicators, but do not exit if they are not found
##
if ( 'Linux' >!< uname)
{
  spad_log(message:'Linux string not matched in uname: ' + uname);
  audit(AUDIT_OS_NOT, 'Cisco Secure Firewall Management Center');
}
else if ('sf' >!< uname &&
         'WR' >!< uname &&
	 '_standard' >!< uname)
{
  spad_log(message:'Firepower characteristics not matched in uname: ' + uname);
}

##
#  Additional (more reliable) verification
##
var is_firepower = FALSE;

var redhat_rel = get_kb_item('Host/etc/redhat-release');
var slackware_rel = get_kb_item('Host/etc/slackware-version');

if ('Sourcefire Linux' >< redhat_rel ||
    'Fire Linux' >< redhat_rel ||
    'Sourcefire Linux' >< slackware_rel ||
    'Fire Linux' >< slackware_rel)
{
  spad_log(message:'Firepower matched in redhat_rel or slackware_rel');
  is_firepower = TRUE;
}

var patches_ssh = get_kb_item('Host/Cisco/FTD_CLI/1/rpm -qa --last');
if (!empty_or_null(patches_ssh) &&
    'Sourcefire_Product_Family' >< patches_ssh)
{
  spad_log(message:'Firepower matched in rpm -qa --last output');
  is_firepower = TRUE;
}    

if (!is_firepower)
{
  spad_log(message:'Firepower characteristics unmatched');
  audit(AUDIT_OS_NOT, 'Cisco Secure Firewall Management Center');
}


var firepower_ssh, model_ssh, vdb_ssh, cmd, msg;

##
#  Firepower confirmed at this point
##
firepower_ssh = get_kb_item('Host/Cisco/os-release');
model_ssh = get_kb_item('Host/Cisco/model_conf');
vdb_ssh = get_kb_item('Host/Cisco/vdb_conf');


if (empty_or_null(patches_ssh) ||
    empty_or_null(firepower_ssh) ||
    empty_or_null(model_ssh) ||
    empty_or_null(vdb_ssh))
{

  var sock_g = ssh_open_connection();
  if (! sock_g)
    audit(AUDIT_FN_FAIL, 'ssh_open_connection');

  if (empty_or_null(patches_ssh))
  {
    cmd = 'rpm -qa --last';
    msg = strcat('Executing ', cmd);
    spad_log(message:msg);
    sleep(1);
    patches_ssh = ssh_cmd(cmd:cmd);
  }

  if (empty_or_null(firepower_ssh))
  {
    cmd = 'cat /etc/os.conf';
    msg = strcat('Executing ', cmd);
    spad_log(message:msg);
    sleep(1);
    firepower_ssh = ssh_cmd(cmd:cmd);
  }
  if (empty_or_null(model_ssh))
  {
    cmd = 'cat /etc/sf/model.conf';
    msg = strcat('Executing ', cmd);
    spad_log(message:msg);
    sleep(1);
    model_ssh = ssh_cmd(cmd:cmd);
  }
  if (empty_or_null(vdb_ssh))
  {
    cmd = 'cat /etc/sf/.versiondb/vdb.conf';
    msg = strcat('Executing ', cmd);
    spad_log(message:msg);
    sleep(1);
    vdb_ssh = ssh_cmd(cmd:cmd);
  }
  ssh_close_connection();
}

# Package enumeraiton is prone to timeouts, so check if the command was interrupted
if (ssh_cmd_interrupted())
{
  interrupt_msg = '\nSSH command interrupted due to timeout or error:\n' + cmd + '\n';
  interrupt_msg += '\nPlugins will be unable to properly check installed hotfixes.\n';
}
# in case we see other 'MODEL's
# MODEL="Cisco Firepower Management Center for VMWare" -> MODEL_TYPE=CONSOLE
spad_log(message:'cat /etc/os.conf:\n' + firepower_ssh + '\n\n');
spad_log(message:'cat /etc/sf/model.conf:\n' + model_ssh + '\n\n');
spad_log(message:'cat /etc/sf/.versiondb/vdb.conf:\n' + vdb_ssh + '\n\n');
spad_log(message:'rpm -qa --last:\n' + patches_ssh + '\n\n');

# Validate that we got packages and not an error by looking for a date like "Mon Apr " from the --last, set to NULL if
# not so that this won't be reported
if (patches_ssh !~ "[A-Z][a-z]{2} [A-Z][a-z]{2} ")
{
  spad_log(message:'No date in result of rpm -qa --last, setting patches_ssh to NULL');
  patches_ssh = NULL;
}

var vdb_version = pregmatch(string:vdb_ssh, pattern:"CURRENT_VERSION=([0-9.]+)\W");
if (!empty_or_null(vdb_version) && !empty_or_null(vdb_version[1]))
  vdb_version = vdb_version[1];
else
  vdb_version = NULL;

var vdb_build = pregmatch(string:vdb_ssh, pattern:"CURRENT_BUILD=([0-9]+)\W");
if (!empty_or_null(vdb_build) && !empty_or_null(vdb_build[1]))
  vdb_build = vdb_build[1];
else
  vdb_build = NULL;

var version, build;
if ('SWVERSION' >< model_ssh && 'SWBUILD' >< model_ssh)
{
  version = pregmatch(string:model_ssh, pattern:"SWVERSION=([0-9][0-9.]+)\s*([\r\n]|$)");

  if (!isnull(version))
  {
    version = version[1];
    build = pregmatch(string:model_ssh, pattern:"SWBUILD=([0-9]+)\s*([\r\n]|$)");
    if(!isnull(build))
      build = build[1];    
    report_and_exit(ver:version, build:build, source:'SSH', vdb_ver:vdb_version, vdb_build:vdb_build, patches_ssh:patches_ssh, interrupt_msg:interrupt_msg);
  }
}
else if (
  'OSVERSION' >< firepower_ssh &&
  'OSBUILD' >< firepower_ssh
)
{
  version = pregmatch(string:firepower_ssh, pattern:"OSVERSION=([0-9][0-9.]+)\s*([\r\n]|$)");

  if (!isnull(version))
  {
    version = version[1];
    build = pregmatch(string:firepower_ssh, pattern:"OSBUILD=([0-9]+)\s*([\r\n]|$)");
    if(!isnull(build))
      build = build[1];
    report_and_exit(ver:version, build:build, source:'SSH', vdb_ver:vdb_version, vdb_build:vdb_build, patches_ssh:patches_ssh, interrupt_msg:interrupt_msg);
  }
}
audit(AUDIT_UNKNOWN_DEVICE_VER, 'Cisco Secure Firewall Management Center');