Today we announced the September 2009 bundle of Cisco IOS Software Security Advisories. In line with our previous announcements, this grouping of advisories discloses security vulnerabilities in Cisco IOS Software.
Information on the vulnerabilities disclosed today can be found at the Cisco Security Advisory listing page. Additionally, we create an Event Response Page (ERP) for our advisory bundles as we’ve done for Microsoft vulnerabilities since June 2007. These Event Response Pages are designed to be a starting point for your vulnerability triage needs. The pages contain links to important documents as well as the assigned CVEs and CVSS scores. The ERP for the IOS vulnerabilities disclosed today can be found over at our Security Intelligence Operations portal.
The bundling concept was implemented in response to feedback that the lack of an announced schedule for Cisco IOS Software vulnerability disclosure was not allowing customers to appropriately plan for and integrate security advisories into their management processes. As a general rule, our advisory bundle timelines are limited to Cisco IOS Software and do not include any other Cisco products or operating systems. However, if the same vulnerability exists in Cisco IOS Software and another product—for example Cisco IOS-XE or Unified Communications Manager—we will work to release the corresponding advisories simultaneously. In fact, this was done today and in September 2008 when we disclosed SIP-related vulnerabilities that affected both Cisco Unified Communication Manager and Cisco IOS Software.
It is also worth noting that we may release out-of-cycle advisories as needed to reduce your risk to vulnerabilities in Cisco IOS Software. As I’ve discussed before, this flexibility is exercised with your needs in mind, and I believe it’s a good thing.
Although it is becoming less common now that people are more familiar with Cisco’s security advisory bundling—as this is our fourth official Cisco IOS Software Security Advisory bundle—we often receive a similar set of questions from folks in the field. Here are a few of those questions, with answers, in case you are wondering about any of them yourself.
- Question: If Cisco knows about vulnerabilities, I need to know right away, not wait for six months. Does this mean that Cisco will be withholding issues that can impact my network for up to six months?
- Answer: The actual public disclosure of vulnerabilities is the end of our vulnerability management cycle. Our Product Security Incident Response Team (PSIRT) works with our engineering organization to address vulnerabilities as quickly as possible. Software releases are patched, tested, and posted to Cisco.com as soon as possible.
- Question: Does Cisco IOS Software advisory bundling mean that there will be a PSIRT announcement only twice per year, in March and September?
- Answer: There will be a Cisco IOS Software advisory announcement twice per year, in March and September. There will continue to be occasional Cisco IOS Software advisory announcements published out-of-cycle in cases warranted by extraordinary circumstances. Furthermore, the advisory announcements for all other products will continue unchanged, without a specific schedule.
- Question: What will happen if someone outside of Cisco releases information that puts my network at risk?
- Answer: Cisco will publish information in an out-of-cycle advisory if increased public awareness or active exploitation of vulnerabilities is observed. Cisco's disclosure policy has not changed as a result of advisory bundling for Cisco IOS Software. Cisco IOS Software Security Advisory bundling aims to streamline the public announcements where possible to allow our customers to more effectively manage their network.
Once you have an understanding of advisory bundling, it is important that you take advantage of the scheduled dates to plan security and software deployment work appropriately. For example and ignoring all other factors, it is best to avoid performing Cisco IOS Software planning or deployments during the weeks leading up to a bundle announcement date. Time and money spent to deploy an IOS image in early March or September may very well be lost only to find on the fourth Wednesday that the deployed image contains one or more security vulnerabilities.
There are several resources that can help you learn of new advisories when they are released. This includes the Cisco Security Intelligence Operations portal and the security advisory listing page at http://www.cisco.com/go/psirt as well as more proactive services such as the PSIRT RSS feeds, the Cisco Notification Service, and the Customer Security Announce mailing list.
The next Cisco IOS Software Security Advisory bundle will be released on the 24th of March 2010. Mark your calendar!