InsightVM is not able to perform vulnerability scans for Cisco devices. I have created multiple Rapid7 support tickets (06995454, 06881846) for this issue, but the issue is not resolved. I can manually login to InsightVM scan engine server and establish a ssh session to the switch and run all the necessary Cisco commands. The Rapid7 Service account has privilege level 15. Has anyone experienced this issue?
Below is the log message.
2024-05-29T14:59:38 [DEBUG] [Thread: ssh-do-service-admin-connect@IPADDRESS:22] [Site: Cisco Test site] [SSHChannelManager] Authentication succeeded (password).
2024-05-29T14:59:38 [DEBUG] [Thread: ssh-do-service-admin-connect@IPADDRESS:22] [Site: Cisco Test site] [SSHChannelManager] Disconnecting from IPADDRESS port 22
2024-05-29T14:59:38 [DEBUG] [Thread: ssh-do-service-admin-connect@IPADDRESS:22] [Site: Cisco Test site] Configured privilege elevation type: PRIVILEGEDEXEC
2024-05-29T14:59:39 [INFO] [Thread: ssh-assert-services-thread@IPADDRESS:22] [Site: Cisco Test site] [IPADDRESS:22/tcp] Logging credential status SUPPLIED_SUCCESS_ALLOWED_ELEVATION for service SSH.
When we try to run commands, the asset stops responding:
2024-05-29T14:59:42 [WARN] [Thread: ssh-assert-services-thread@IPADDRESS:22] [Site: Cisco Test site] Failed remote execution attempt after 1 consecutive failed attempts
2024-05-29T14:59:42 [DEBUG] [Thread: ssh-assert-services-thread@IPADDRESS:22] [Site: Cisco Test site] Failed remote execution:
java.io.IOException: com.jcraft.jsch.JSchException: session is down
2024-05-29T14:59:49 [WARN] [Thread: ssh-assert-services-thread@IPADDRESS:22] [Site: Cisco Test site] Failed remote execution attempt after 2 consecutive failed attempts
2024-05-29T14:59:49 [DEBUG] [Thread: ssh-assert-services-thread@IPADDRESS:22] [Site: Cisco Test site] Failed remote execution:
java.io.IOException: com.jcraft.jsch.JSchException: session is down
2024-05-29T14:59:56 [WARN] [Thread: ssh-assert-services-thread@IPADDRESS:22] [Site: Cisco Test site] Failed remote execution attempt after 3 consecutive failed attempts
2024-05-29T14:59:56 [DEBUG] [Thread: ssh-assert-services-thread@IPADDRESS:22] [Site: Cisco Test site] Failed remote execution:
java.io.IOException: com.jcraft.jsch.JSchException: session is down
Rapid7 response is
"It is known for some Cisco devices to try and protect themselves from what it thinks is an attack, so either this is happening or there is rate limiting in place.
In both instances, there is not much we can do within the scan template or site configuration. InsightVM currently cannot be configured for rate-limiting. If any adjustment is possible on your end for rate-limiting or reconfiguring the device to allow continuous response with the scan engine, that may resolve this issue. Nevertheless, this is all the information we can provide with regards to this matter."
Our Network admin says there is no rate-limiting on the Cisco switch. If this is Rapid7 limitation and if there are better vulnerability scanners for network devices, let me know.