We are now more than one year on from the release of HeartBleed, the first major vulnerability disclosed in widely used third-party code. This is an excellent point in time to look back at what Cisco and our customers have achieved since, including how the Cisco Product Security Incident Response Team (PSIRT) has evolved to meet this new type of threat. It’s also a key time for us to confirm and clarify our commitment to transparency in the vulnerability disclosure process.
On April 13th, 2015, Cisco PSIRT was made aware of multiple instances of customer disruption in a specific region caused by a denial of service attack against Cisco devices. We responded quickly to support speedy restoration for our customers.
Our ongoing investigation has shown that the storage of some Cisco devices was erased, removing both the Cisco IOS and device configuration from the non-volatile RAM. Once rebooted, these devices became non-operational, affecting connectivity to the global Internet.
Cisco PSIRT, together with other internal Cisco teams, responded to support affected customers, review configuration backups of affected devices, and to analyze all available log files and Netflow information.
At this time, we have seen a common element across all inspected devices: a combination of weak credentials and a lack of device hardening. There has been no evidence of a Cisco bug or vulnerability being exploited. Should this situation change and we discover the use of a vulnerability, Cisco will disclose in accordance with our Security Vulnerability Policy.
Today, we released the first ever Cisco IOS Software and IOS XE Software Security Advisory Bundled Publication. As a reminder, Cisco discloses IOS vulnerabilities on a predictable schedule (on the fourth Wednesday of March and September each calendar year). In direct response to your feedback, we have also included a Cisco Security Advisory addressing vulnerabilities in Cisco IOS XE Software in this publication. We hope this timeline and additional “bundling” continues to allow your organization to plan and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
Read More »
This blog post was authored by Troy Fridley and Omar Santos of Cisco PSIRT.
On Mar 9 2015, the Project Zero team at Google revealed findings from new research related to the known issue in the DDR3 Memory specification referred to as “Row Hammer”. Row Hammer is an industry-wide issue that has been discussed publicly since (at least) 2012.
The new research by Google shows that these types of errors can be introduced in a predictable manner. A proof-of-concept (POC) exploit that runs on the Linux operating system has been released. Successful exploitation leverages the predictability of these Row Hammer errors to modify memory of an affected device. An authenticated, local attacker with the ability to execute code on the affected system could elevate their privileges to that of a super user or “root” account. This is also known as Ring 0. Programs that run in Ring 0 can modify anything on the affected system. Read More »
Cisco PSIRT – Notice about public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability
Cisco PSIRT is aware of public exploitation of the Cisco ASA Clientless SSL VPN Portal Customization Integrity Vulnerability identified by Cisco bug ID CSCup36829 (registered customers only) and CVE ID CVE-2014-3393. This vulnerability was disclosed on the 8th of October 2014 in the Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software.
All customers that have customizations applied to their Clientless SSL VPN portal and regardless of the Cisco ASA Software release in use should review the security advisory and this blog post for additional remediation actions.
NOTE: The Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software should be used as the Single Source of Truth (SSoT) for all details of this vulnerability and for any revisions of information going forward. Read More »