Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Security Response

Infected Cisco Information Packet and Warranty CDs

Document ID: 549

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20110803-cd

Revision 1.1

Last Updated on 2011  August  22 19 : 30  UTC (GMT)

For Public Release 2011  August  3 16 : 00  UTC (GMT)


Contents

Response
Additional Information
Status of this Notice: Final
Revision History
Cisco Security Procedures

Cisco Response

In the period of December 2010 until August 2011, Cisco shipped warranty CDs that contain a reference to a third-party website known to be a malware repository. When the CD is opened with a web browser, it automatically and without warning accesses this third-party website. Additionally, on computers where the operating system is configured to automatically open inserted media, the computer's default web browser will access the third-party site when the CD is inserted, without requiring any further action by the user.

To the best of our knowledge, starting from December 2010 until the time of this document's publication on August 3, 2011, customers were never in a position to have their computer compromised by using the CDs provided by Cisco. Additionally, the third-party site in question is currently inactive as a malware repository, so customers are not in immediate danger of having their computers compromised. However, if this third-party web site would become active as a malware repository again, there is a potential that users could infect their operating system by opening the CD with their web browser.

All warranty CDs printed with "Revision -F0" (or later) do not contain references to the third-party website and do not introduce a potential to compromise customers' computers.

This issue was reported to Cisco by William Haisch. Cisco appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.

Additional Information

In addition to the content described in the following table, all CDs contain Cisco Information Packet - Cisco Limited Warranty, Disclaimer of Warranty, End User License Agreement, and US FCC Notice. The following Cisco CDs are affected:

CD Part Number

Title

80-8937-01D0 80-8937-01E0

Cisco 1-Year Limited Hardware Warranty Terms

80-8938-01D0 80-8938-01E0

Cisco Limited 5-Year Hardware and 1-Year Software Warranty Terms

80-8939-01D0 80-8939-01E0

Cisco 90-Day Limited Hardware Warranty Terms

80-8940-01D0 80-8940-01E0

Cisco Information Packet - Cisco Limited Warranty, Disclaimer of Warranty, End User License Agreement, and US FCC Notice

80-8941-01D0 80-8941-01E0

Cisco Limited Lifetime Hardware Warranty Terms

80-8943-01D0 80-8943-01E0

End User License Agreement

Note: CDs shipped prior to August 2011 do not contain revision information (such as "-D0" and "-E0" as listed in the preceding table of affected part numbers).

Although there are no distinguishable markings on the CDs, all warranty CDs shipped in the period of December 2010 through August 2011 do contain a reference to the third-party site. Warranty CDs shipped in August 2011 will have their revision designator printed on them in the form "Revision -X0", where X is a letter denoting the CD revision. Warranty CDs with the revision "-F0" or later do not contain a reference to the third-party website.

All information present on the CDs is available on the Cisco worldwide website. Customers are encouraged to use these links for the most up-to-date information. The following table indicates where the latest content of each CD is located on the Cisco worldwide website.

Cisco 1-Year Limited Hardware Warranty Terms (80-8937-01D0, 80-8937-01E0)

Cisco Information Packet

http://www.cisco.com/en/US/docs/general/warranty/English/SL3DEN__.html

Cisco 1-Year Limited Hardware Warranty Terms

http://www.cisco.com/en/US/docs/general/warranty/English/1Y1DEN__.html (English)

http://www.cisco.com/web/CA/products/warranty/1y1den_fr.html (French)

Cisco Limited 5-Year Hardware and 1-Year Software Warranty Terms (80-8938-01D0, 80-8938-01E0)

Cisco Information Packet

http://www.cisco.com/en/US/docs/general/warranty/English/SL3DEN__.html

Cisco Limited 5-Year Hardware and 1-Year Software Warranty Terms

http://www.cisco.com/en/US/docs/general/warranty/English/511DEN__.html (English)

http://www.cisco.com/web/CA/products/warranty/511den_fr.html (French)

Cisco 90-Day Limited Hardware Warranty Terms (80-8939-01D0, 80-8939-01E0)

Cisco Information Packet

http://www.cisco.com/en/US/docs/general/warranty/English/SL3DEN__.html

Cisco 90-Day Limited Hardware Warranty Terms

http://www.cisco.com/en/US/docs/general/warranty/English/901DEN__.html (English)

http://www.cisco.com/web/CA/products/warranty/901DEN__78-19458-01_fr.html (French)

Cisco Information Packet - Cisco Limited Warranty, Disclaimer of Warranty, End User License Agreement, and US FCC Notice (80-8940-01D0, 80-8940-01E0)

Cisco Information Packet

http://www.cisco.com/en/US/docs/general/warranty/English/SL3DEN__.html (English)

http://www.cisco.com/web/CA/products/warranty/sl3den_fr.html (French)

Cisco Limited Lifetime Hardware Warranty Terms (80-8941-01D0, 80-8941-01E0)

Cisco Information Packet

http://www.cisco.com/en/US/docs/general/warranty/English/SL3DEN__.html

Cisco Limited Lifetime Hardware Warranty Terms

http://www.cisco.com/en/US/docs/general/warranty/English/LH2DEN__.html (English)

http://www.cisco.com/web/CA/products/warranty/lh2den_fr.html (French)

End User License Agreement (80-8943-01D0, 80-8943-01E0)

Cisco Limited Lifetime Hardware Warranty Terms

http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html (English)

http://www.cisco.com/web/CA/products/warranty/eula_78-3621-01Q0_fr.html (French)

In addition to obtaining information from the Cisco website, customers can also download ISO images of a CD from the Cisco website. Customers can create a CD from its ISO image file using build-in operating system capabilities or CD creation applications.

The following table provides direct URLs to compressed ISO images of all affected CDs. These ISO images will be available for download until December 2011. After that time these images will be withdrawn and customers can obtain the information from the Cisco website as per the preceding table.

CD Part Number

Title

MD5 Hash

80-8937-01F0

Cisco 1-Year Limited Hardware Warranty Terms

http://www.cisco.com/web/about/security/psirt/CSCO_1YR_LICWR-F0.zip

a5700620c53228976eda052760423952

80-8938-01F0

Cisco Limited 5-Year Hardware and 1-Year Software Warranty Terms

http://www.cisco.com/web/about/security/psirt/CSCO_5_1YR_LICWR-F0.zip

30ffaa2424a21b981e94ed7247f9d9de

80-8939-01F0

Cisco 90-Day Limited Hardware Warranty Terms

http://www.cisco.com/web/about/security/psirt/CSCO_90DY_LICWR-F0.zip

9f1eb13e8abb4a55a1d72b6dc1896ad1

80-8940-01F0

Cisco Information Packet - Cisco Limited Warranty, Disclaimer of Warranty, End User License Agreement, and US FCC Notice

http://www.cisco.com/web/about/security/psirt/CSO_CIP_LICWAR-F0.zip

2f750286c4bf8ea5d33970f266485b4f

80-8941-01F0

Cisco Limited Lifetime Hardware Warranty Terms

http://www.cisco.com/web/about/security/psirt/CSO_LTD_LICWAR-F0.zip

c4c462f93b9afe8be09bf654450e3015

80-8943-01F0

End User License Agreement

http://www.cisco.com/web/about/security/psirt/CSO_EULA_LICWAR-F0.zip

57ededc8d4e8caa60e57bebdb5d19d8e

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.


Revision History

Revision 1.1

2011-08-22

Added recognition of external researcher.

Revision 1.0

2011-08-03

Initial public release.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.


Download this document (PDF)
View Printable Version