Today we announced our regularly scheduled, semiannual (that’s twice a year, not every other year) group of Cisco IOS Security Advisories, otherwise known as our “Cisco IOS Security Advisory Bundle.” Security Advisories are disclosed by the Cisco Product Security Incident Response Team (PSIRT) in response to vulnerabilities that have been discovered and/or reported, either internally or externally, in Cisco products. The term “bundle” was chosen since we now disclose a group of IOS-related Security Advisories at one time, as opposed to releasing advisories individually whenever they are ready for prime time. This one-at-a-time approach is what we had used for years until, back in March 2008, we decided to take the “bundle” approach, similar to Microsoft’s monthly “Microsoft Tuesday” event, which occurs on the second Tuesday of every month.
Our customers have told us that having a known, expected date for the announcement of our bundle of IOS Security Advisories helps them appropriately plan for the event. It enables all of you to have the resources in place to review, analyze and schedule for the subsequent testing of patches, upgrades and/or mitigations required to remediate the respective vulnerabilities in your environments.
The September 22, 2010 edition of the Cisco IOS Security Advisory Bundle contains a total of five IOS-related Advisories, affecting each of the following IOS features:
- Internet Group Management Protocol version 3 (IGMPv3)
- Network Address Translation (NAT)
- Session Initiation Protocol (SIP)
- SSL VPN
In addition to these five IOS Advisories, there is also a “non-IOS” Advisory for the Cisco Unified Communications Manager (CUCM) family of products. CUCM (formerly known as Call Manager) provides the capability to offer IP-based voice services over an enterprise IP network. The reason for including CUCM in this IOS Bundle is that the same SIP-related vulnerabilities that affect IOS also affect CUCM. Customers that responded to our CUCM security advisory (disclosed on August 25, 2010) by upgrading to a fixed version of software can rest easy since the software versions released with the August advisory also addressed the vulnerabilities announced in today’s CUCM security advisory.
Individual Security Advisory links are available in the Cisco Event Response page at the following link: http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep10.html
In addition to the workarounds identified (where applicable) in the respective advisories, there are also two Applied Mitigation Bulletins that provide identification and mitigation techniques for the voice-related (H.323, SIP, CUCM) and IGMPv3 vulnerabilities.
We hope that everyone impacted by network vulnerabilities finds the format of the semiannual Cisco IOS Security Advisory Bundle timely, useful, and informative.