It’s Back – It’s Cisco IOS Software Security Advisory Bundle Time Again

September 25, 2013 - 4 Comments

Today, we released the final Cisco IOS Software Security Advisory Bundled Publication of 2013. We committed to these predictable disclosures back in 2008 because your feedback was clear—they allow you to plan ahead and ensure resources are available to analyze, test, and remediate vulnerabilities in your environments. (For more information on the history of this evolution, take a look at my colleague John Stuppi’s post this past March.) If you haven’t had the opportunity to review my earlier posts on preparing for bundled disclosures or leveraging the Cisco IOS Software Checker tool, I’d encourage you to do so now. Hopefully, the guidance will help lessen the impact of evaluating the recently published Cisco Security Advisories.

Today’s edition of the Cisco IOS Software Security Advisory Bundled Publication includes eight advisories that affect the following technologies:

  • Network Address Translation
  • Resource Reservation Protocol
  • Internet Key Exchange
  • DHCP
  • IPv6 Virtual Fragmentation Reassembly
  • Network Time Protocol
  • T1/E1 Interface Module Signalization
  • Zone-Based Firewall

We’ve also released the following video that summarizes this disclosure:

Cisco IOS Security Bundle

Make sure you also take a look at the Cisco Event Response—our “go to” document that correlates the full array of Cisco Security Intelligence Operations (SIO) resources for this bundle (including links to the advisories, mitigations, Cisco IntelliShield Alerts, CVSS scores, and OVAL content). As the project manager who oversees the management and delivery of these bundled disclosures, I’m always impressed at the level of effort and collaboration involved. A dedicated team of incident managers, a variety of partner organizations, special tooling, months of preparation, thousands of communications—these all come together on the fourth Wednesday of March and September.

The next Cisco IOS Software Security Advisory Bundled Publication is scheduled for March 26, 2014. Why don’t you mark your calendars now? And don’t forget—for all things security, visit the SIO portal, the primary outlet for Cisco’s security intelligence and the public home to all of our security-related content.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Hi Jason,

    Thank you for reaching out to us. OVAL definitions have been created for all of the advisories except the NTP and RSVP vulnerabilities, due to the technical nature of the vulnerabilities and the ability to capture the device state in an OVAL definition. Unfortunately, we had an unforeseen technical problem with out content management system and the OVAL definition links were not showing in the advisories..

    The OVAL definitions for this bundle can be downloaded from the ERP or the advisories at:

    Thanks again!

    Omar Santos

    • Thanks Omar, I noticed today. Thanks!

      I understood all IOS PSIRT notices will be issued to include OVAL files? Please correct if that asusmption wrong. That seams to be the case since ~2010 at least – prior to that they were in Mitre, and thats what was stated when Cisco sat on the OVAL standards board years ago.

      I also was hoping the OVALs would be batch released in ZIP like in March – as per:

      RE: NTP and RSVP technical issues.

      Comes of a bit of suprise. There would be two options:- adding ‘show running-config | include ^interface|ntp multicast’ as new object, or checking object 1 (running config) for the line ‘ntp multicast command’.

      There are already about 20 odd be-spoke command outputs.. like ‘show ip inspect | Match:xxxx in the FULL OVAL database. I know this since I compiled all Mitre (up to ~2010) and all Cisco IOS OVALS since then. I therefore collect all those commands output along with config, and much more easily check a few thousand IOS devices based on current config and OVAL requested command output. False positives goes down from around 40% based on IOS version alone, to about 6% with the show output. Then half of that 6% are incomplete OVALs matches, or platform not effected where OVAL schema has not platform field.

      I wanted to do this twice a year aligned to the batch notices in March/Oct.. as particulary the banking and finance markets need this for compliance auditors. Having the zip files, OVAL in all cases.. obviously turns it into a few hours work twice a year.

      For RSVP, something similar where config object checked for both RSVP and MPLS running. Would not be perfect, but nor is some of the exisiting ones. But seeing as not many enterprises run MPLS and/or RSVP – so this will still provide a ‘false’ for several hundred routers that would not need to be manually checked.

      But please let me know if the plan is that it will be hit and miss for the customer being provided OVAL’s. I should either stop my script developement and go back to manual process – or what makes better sense is a learn to write my own OVAL files for the ones without which I am happy to share.



  2. Great stuff, but what about the promise for IOS OVAL definitions will continue?

    I see with these notices the OVAL links are broken. Not sure if intentional, error, or yet soon to be released??

    For major service and security providers – investing in in-house tools for automation,OVAL has been a workable standard. I wonder if there is going to be any formal announcements if this has been silently dropped…

  3. Again mist useful As was the pist on Lexis Nexus breach