It’s that time of year again, folks. On Wednesday of next week, the Cisco Product Security Incident Response Team (PSIRT) will release the first Cisco IOS Software Security Advisory Bundled Publication of 2013. As a reminder, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday of March and September each calendar year. As is the case with the vast majority of our security advisories, vulnerabilities scheduled for disclosure in the upcoming bundle will normally have a Common Vulnerability Scoring System (CVSS) Base Score from 7.0 to 10.0.

The exceptions to this general guideline—those Cisco Security Advisories that address vulnerabilities below 7.0—are rare and demonstrate how Cisco may look to raise visibility of certain critical issues that affect customers; for example, cisco-sa-20100827-bgp covered a Border Gateway Protocol (BGP) vulnerability with a CVSS Base Score of 5.0. It is also possible, but unlikely, that our PSIRT will release Cisco IOS Software Security Advisories outside the bundle schedule when they’ve determined that elevated customer risk is present.

Vulnerabilities in Cisco IOS Software and other Cisco products that score lower than 7.0 are not subject to the bundle schedule and will be disclosed through additional disclosure document types throughout the year. Please refer to the Cisco Security Vulnerability Policy for additional information.

Last year, my colleague Tim Sammut spoke about the variety of tools that allow interested parties to stay up-to-date with our advisories as they’re released. As March 27, 2013 approaches, I’d like to share some tips to help prepare for the upcoming release. Sometimes the simplest tasks are often the most overlooked and troublesome:

  • Do you remember your Cisco.com username and password so you’re able to access software updates?
  • Have you tracked down the username and password for your Cisco IOS routers and switches so you can apply those updates?
  • If you outsource your network operations, are your partners aware of and prepared for the security advisory release?
  • Do you keep a simple list of Cisco IOS Software technologies and features such as IP Voice or Network Address Translation (NAT) that your organization leverages so you can quickly identify whether you may be affected by a particular advisory?
  • Are you familiar with using the Cisco IOS Software Checker to search for Cisco Security Advisories that impact specific Cisco IOS Software releases?
  • Have you assembled a text file of all the Cisco IOS Software releases in your network so you can simply upload it to the Cisco IOS Software checker?
  • Did you familiarize yourself with OVAL and CVRF when we first made this content available last year?

Are there other steps you take to prepare for our Cisco IOS Software Security Advisories? As the project manager responsible for the management and delivery of these bundled disclosures, I’m interested in hearing your thoughts and feedback. Post your thoughts in the comments!


Erin Float

Project Manager

Security Research and Operations Group