Following a recent Juniper security bulletin discussing unauthorized code, we have fielded a number of related questions from our customers. Being trustworthy, transparent, and accountable is core to our team, so we are responding to these questions publicly.
First, we have a “no backdoor” policy and our principles are published at trust.cisco.com
Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:
- Undisclosed device access methods or “backdoors”.
- Hardcoded or undocumented account credentials.
- Covert communication channels.
- Undocumented traffic diversion.
Second, we have no indication of unauthorized code in our products.
We have seen none of the indicators discussed in Juniper’s disclosure. Our products are the result of rigorous development practices that place security and trust at the fore. They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance.
Third, we have initiated an additional review of our products for similar malicious modification.
Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. We are tracking the case as PSIRT-0551621891, and will release any findings in accordance with our Security Vulnerability Policy.
Fourth, we initiated this additional review of our own accord.
Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do.
Finally, we will investigate all credible reports and disclose findings with customer implications.
We ask all our customers and others to report any suspected vulnerabilities to the Cisco PSIRT for immediate investigation. Consistent with our long-standing process, we will manage and disclose results under the terms of our Security Vulnerability Policy.