Today, Cisco is celebrating a milestone in its commitment to helping you act on security intelligence—our 10th bundle of Cisco IOS Software Security Advisories. We’re proud of our commitment to these predictable disclosures (on the fourth Wednesday of March and September annually) because they originated as a direct response to your feedback. Bundled publications allow you to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments. In an upcoming post, my colleague John Stuppi will share how the Cisco Product Security Incident Response Team (PSIRT) drove the evolution from a traditional disclosure model to the current semiannual bundled publication. John’s post will also provide another vehicle to share feedback with PSIRT, the organization that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks.
Make sure you take a look at the Cisco Event Response—our “go to” document that correlates the full array of Cisco Security Intelligence Operations (SIO) resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). Remember, this collateral is not unique to Cisco IOS Software Security Advisories but is part of Cisco SIO’s response to current security events.
Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes seven advisories that affect the following technologies:
- Network Address Translation
- Resource Reservation Protocol
- Internet Key Exchange
- Zone-Based Firewall Session Initiation Protocol Inspection
- Smart Install
- Protocol Translation
- IP Service Level Agreement Read More »
Tags: Cisco, cisco ios, Cisco PSIRT, Cisco Security, cisco sio, IOS, vulnerability
It’s that time of year again, folks. On Wednesday of next week, the Cisco Product Security Incident Response Team (PSIRT) will release the first Cisco IOS Software Security Advisory Bundled Publication of 2013. As a reminder, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of March and September each calendar year. As is the case with the vast majority of our security advisories, vulnerabilities scheduled for disclosure in the upcoming bundle will normally have a Common Vulnerability Scoring System (CVSS) Base Score from 7.0 to 10.0.
Read More »
Tags: Cisco, IOS, ios bundle, psirt, security, vulnerability
My colleague, Dario Ciccarone from the Cisco Product Security Incident Response Team (PSIRT) will be presenting “Security Vulnerability Handling at Cisco” at (ISC)2’s New York Metro Chapter meeting on February 13th, 2013. This will be an evening of information security presentations, networking reception and filled with Chapter activity discussions during this event. This event also qualifies for 2 CPEs for certified information security professionals (CISSP). Read More »
Tags: Cisco PSIRT, Cisco Vulnerability Policy, security, vulnerability
Cisco has recently received questions about a vulnerability in some of our 7900 series IP office phones that is said to allow eavesdropping on nearby office conversations. This was discovered by IT security researchers at Columbia University, and we thank them for reporting it to us before presenting at various security conferences.
We are actively working on a permanent fix, and have released very detailed, step-by-step guides for customers on identifying and preventing the vulnerability from being used. We’re not aware of it being used against any of our customers – largely due the fact that it is very challenging to exploit.
Unlike other IT security issues that have received attention, this is not simply a matter of someone “hacking” into the software on one phone. As the Columbia research demonstrated, someone wishing to take advantage of the vulnerability faces several distinct challenges. They would need hardware and software skills specifically related to software at the core of IP phones, an IT network configured a very specific way, and physical access to the phone’s serial port to insert a tailor-made device pre-loaded with software.
That does not mean we take this vulnerability lightly. We first issued information to our customers at the end of last year and have recently released very detailed documents to help those responsible for protecting IP phone networks. You can see these documents here: Security Advisory and Applied Mitigation Document.
As well as offering customers the information needed to secure their phone network against this vulnerability, Cisco will issue a software update on January 21st that closes off access to the vulnerability.
UPDATE – this interim software update was released to customers ahead of schedule on January 17th.
We remain committed to making sure Cisco products maintain the highest levels of security. When we learn of vulnerabilities we will address them quickly and communicate transparently with our customers.
SVP and GM, Collaboration Technology
Tags: 7900 series, Cisco, Columbia University, eavesdropping, ip phone, vulnerability
Is the product safe to use? I have been asked this question on occasion in a non-technical sense and maybe you have too. In a technical context, I could frame the question as “Are the online services and underlying technologies supporting my services safe?” A continuous effort must go into substantiating the preferable answer (“Yes”) that we are looking for, both prior to and after releasing a product or service into the wild. Security Intelligence Operations (SIO) includes a team of network security experts that form the Security Technology Assessment Team (STAT). They provide security assessment expertise across Cisco’s product and services organizations. In this article, I elaborate on their role and how they complement product and services organizations at Cisco in helping to protect you, our customer.
In the not-so-distant past it used to be that the majority of notoriety around product security was focused more around physical aspects. For example, a manufacturer announces a product recall about a defect (i.e. vulnerability) that could cause potential physical harm or worse. Fast-forward to today where computing devices and associated Internet plumbing comprise an entirely distinct category of product security needed. Within that category, I would also suggest that services and the underlying supporting infrastructure would also fall into this category in the ongoing quest for achieving network security. I think that this quote from a U.S. government hearing underscores the value of that quest as well.
“When we bring in new technologies, we bring in new exposures and new vulnerabilities, things we really haven’t thought about. It takes a little while before we understand it, and after a while we begin to secure it. But our mindset needs to change. This is not the same as industrial technologies or new ways of doing aircraft or cars. These technologies are global and they expose us globally, literally within milliseconds.”
House of Representatives Hearing on Cybersecurity: Emerging Threats, vulnerabilities, and challenges in securing federal information systems
Business units and quality assurance groups at Cisco apply multi-level security processes throughout the development of products and services to ensure that security is embedded into everything that is ultimately delivered to customers. For example, Cisco’s secure development life cycle (SDL) provides a highly effective process in detecting and preventing security vulnerabilities and improving overall system quality. Cisco SDL has several elements that include, but not limited to, source code analysis and white box testing that feed into the security posture of a product or service. Cisco has a security advocates program, a virtual community of people who understand network security and secure product development (and testing) and who can share and evangelize that knowledge with their peers, their colleagues, and their management.
Read More »
Tags: Cisco Security, Cisco Security Intelligence Operations, cisco sio, cybersecurity, secure software, security to of mind, vulnerability