It’s that time of year again, folks. On Wednesday of next week, the Cisco Product Security Incident Response Team (PSIRT) will release the first Cisco IOS Software Security Advisory Bundled Publication of 2013. As a reminder, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of March and September each calendar year. As is the case with the vast majority of our security advisories, vulnerabilities scheduled for disclosure in the upcoming bundle will normally have a Common Vulnerability Scoring System (CVSS) Base Score from 7.0 to 10.0.
My colleague, Dario Ciccarone from the Cisco Product Security Incident Response Team (PSIRT) will be presenting “Security Vulnerability Handling at Cisco” at (ISC)2′s New York Metro Chapter meeting on February 13th, 2013. This will be an evening of information security presentations, networking reception and filled with Chapter activity discussions during this event. This event also qualifies for 2 CPEs for certified information security professionals (CISSP). Read More »
Cisco has recently received questions about a vulnerability in some of our 7900 series IP office phones that is said to allow eavesdropping on nearby office conversations. This was discovered by IT security researchers at Columbia University, and we thank them for reporting it to us before presenting at various security conferences.
We are actively working on a permanent fix, and have released very detailed, step-by-step guides for customers on identifying and preventing the vulnerability from being used. We’re not aware of it being used against any of our customers – largely due the fact that it is very challenging to exploit.
Unlike other IT security issues that have received attention, this is not simply a matter of someone “hacking” into the software on one phone. As the Columbia research demonstrated, someone wishing to take advantage of the vulnerability faces several distinct challenges. They would need hardware and software skills specifically related to software at the core of IP phones, an IT network configured a very specific way, and physical access to the phone’s serial port to insert a tailor-made device pre-loaded with software.
That does not mean we take this vulnerability lightly. We first issued information to our customers at the end of last year and have recently released very detailed documents to help those responsible for protecting IP phone networks. You can see these documents here: Security Advisory and Applied Mitigation Document.
As well as offering customers the information needed to secure their phone network against this vulnerability, Cisco will issue a software update on January 21st that closes off access to the vulnerability.
UPDATE – this interim software update was released to customers ahead of schedule on January 17th.
We remain committed to making sure Cisco products maintain the highest levels of security. When we learn of vulnerabilities we will address them quickly and communicate transparently with our customers.
SVP and GM, Collaboration Technology
Is the product safe to use? I have been asked this question on occasion in a non-technical sense and maybe you have too. In a technical context, I could frame the question as “Are the online services and underlying technologies supporting my services safe?” A continuous effort must go into substantiating the preferable answer (“Yes”) that we are looking for, both prior to and after releasing a product or service into the wild. Security Intelligence Operations (SIO) includes a team of network security experts that form the Security Technology Assessment Team (STAT). They provide security assessment expertise across Cisco’s product and services organizations. In this article, I elaborate on their role and how they complement product and services organizations at Cisco in helping to protect you, our customer.
In the not-so-distant past it used to be that the majority of notoriety around product security was focused more around physical aspects. For example, a manufacturer announces a product recall about a defect (i.e. vulnerability) that could cause potential physical harm or worse. Fast-forward to today where computing devices and associated Internet plumbing comprise an entirely distinct category of product security needed. Within that category, I would also suggest that services and the underlying supporting infrastructure would also fall into this category in the ongoing quest for achieving network security. I think that this quote from a U.S. government hearing underscores the value of that quest as well.
“When we bring in new technologies, we bring in new exposures and new vulnerabilities, things we really haven’t thought about. It takes a little while before we understand it, and after a while we begin to secure it. But our mindset needs to change. This is not the same as industrial technologies or new ways of doing aircraft or cars. These technologies are global and they expose us globally, literally within milliseconds.”
Business units and quality assurance groups at Cisco apply multi-level security processes throughout the development of products and services to ensure that security is embedded into everything that is ultimately delivered to customers. For example, Cisco’s secure development life cycle (SDL) provides a highly effective process in detecting and preventing security vulnerabilities and improving overall system quality. Cisco SDL has several elements that include, but not limited to, source code analysis and white box testing that feed into the security posture of a product or service. Cisco has a security advocates program, a virtual community of people who understand network security and secure product development (and testing) and who can share and evangelize that knowledge with their peers, their colleagues, and their management.
Today Cisco Security Intelligence Operations (SIO) has released its Semi-annual Cisco IOS Software Security Advisory Bundle, the second and final IOS bundle publication of 2012. Today’s release includes nine advisories, of which five have workarounds.
As in previous bundle publications, Cisco SIO has provided an array of security resources to help customers secure their networks. This collateral is not unique to bundle security advisories and instead is part of SIO’s response to current security events. Resources include: Read More »