“A security advisory was just published! Should I hurry and upgrade all my Cisco devices now?”
This is a question that I am being asked by customers on a regular basis. In fact, I am also asked why there are so many security vulnerability advisories. To start with the second question: Cisco is committed to protecting customers by sharing critical security-related information in a very transparent way. Even if security vulnerabilities are found internally, the Cisco Product Security Incident Response Team (PSIRT) – which is my team – investigates, drives to resolution, and discloses such vulnerabilities. To quickly answer the first question, don’t panic, as you may not have to immediately upgrade your device. However, in this article I will discuss some of the guidelines and best practices for responding to Cisco security vulnerability reports.
Read More »
Tags: advisories, CVSS, cybersecurity, exploits, incident response, malware, psirt, security advisories, security advisory, security notice, security notices, security top of mind, vulnerability
Today, Cisco is celebrating a milestone in its commitment to helping you act on security intelligence—our 10th bundle of Cisco IOS Software Security Advisories. We’re proud of our commitment to these predictable disclosures (on the fourth Wednesday of March and September annually) because they originated as a direct response to your feedback. Bundled publications allow you to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments. In an upcoming post, my colleague John Stuppi will share how the Cisco Product Security Incident Response Team (PSIRT) drove the evolution from a traditional disclosure model to the current semiannual bundled publication. John’s post will also provide another vehicle to share feedback with PSIRT, the organization that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks.
Make sure you take a look at the Cisco Event Response—our “go to” document that correlates the full array of Cisco Security Intelligence Operations (SIO) resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). Remember, this collateral is not unique to Cisco IOS Software Security Advisories but is part of Cisco SIO’s response to current security events.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
- Network Address Translation
- Resource Reservation Protocol
- Internet Key Exchange
- Zone-Based Firewall Session Initiation Protocol Inspection
- Smart Install
- Protocol Translation
- IP Service Level Agreement Read More »
Tags: Cisco, cisco ios, Cisco PSIRT, Cisco Security, cisco sio, IOS, vulnerability
It’s that time of year again, folks. On Wednesday of next week, the Cisco Product Security Incident Response Team (PSIRT) will release the first Cisco IOS Software Security Advisory Bundled Publication of 2013. As a reminder, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of March and September each calendar year. As is the case with the vast majority of our security advisories, vulnerabilities scheduled for disclosure in the upcoming bundle will normally have a Common Vulnerability Scoring System (CVSS) Base Score from 7.0 to 10.0.
Read More »
Tags: Cisco, IOS, ios bundle, psirt, security, vulnerability
My colleague, Dario Ciccarone from the Cisco Product Security Incident Response Team (PSIRT) will be presenting “Security Vulnerability Handling at Cisco” at (ISC)2’s New York Metro Chapter meeting on February 13th, 2013. This will be an evening of information security presentations, networking reception and filled with Chapter activity discussions during this event. This event also qualifies for 2 CPEs for certified information security professionals (CISSP). Read More »
Tags: Cisco PSIRT, Cisco Vulnerability Policy, security, vulnerability
Cisco has recently received questions about a vulnerability in some of our 7900 series IP office phones that is said to allow eavesdropping on nearby office conversations. This was discovered by IT security researchers at Columbia University, and we thank them for reporting it to us before presenting at various security conferences.
We are actively working on a permanent fix, and have released very detailed, step-by-step guides for customers on identifying and preventing the vulnerability from being used. We’re not aware of it being used against any of our customers – largely due the fact that it is very challenging to exploit.
Unlike other IT security issues that have received attention, this is not simply a matter of someone “hacking” into the software on one phone. As the Columbia research demonstrated, someone wishing to take advantage of the vulnerability faces several distinct challenges. They would need hardware and software skills specifically related to software at the core of IP phones, an IT network configured a very specific way, and physical access to the phone’s serial port to insert a tailor-made device pre-loaded with software.
That does not mean we take this vulnerability lightly. We first issued information to our customers at the end of last year and have recently released very detailed documents to help those responsible for protecting IP phone networks. You can see these documents here: Security Advisory and Applied Mitigation Document.
As well as offering customers the information needed to secure their phone network against this vulnerability, Cisco will issue a software update on January 21st that closes off access to the vulnerability.
UPDATE – this interim software update was released to customers ahead of schedule on January 17th.
We remain committed to making sure Cisco products maintain the highest levels of security. When we learn of vulnerabilities we will address them quickly and communicate transparently with our customers.
SVP and GM, Collaboration Technology
Tags: 7900 series, Cisco, Columbia University, eavesdropping, ip phone, vulnerability