Cisco Security Response

Document ID: 549

http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20110803-cd

Revision 1.1

Last Updated on 2011 August 22 19:30  UTC (GMT)

For Public Release 2011 August 3 16:00  UTC (GMT)

Contents

Cisco Response

In the period of December 2010 until August 2011, Cisco shipped warranty CDs that contain a reference to a third-party website known to be a malware repository. When the CD is opened with a web browser, it automatically and without warning accesses this third-party website. Additionally, on computers where the operating system is configured to automatically open inserted media, the computer's default web browser will access the third-party site when the CD is inserted, without requiring any further action by the user.

To the best of our knowledge, starting from December 2010 until the time of this document's publication on August 3, 2011, customers were never in a position to have their computer compromised by using the CDs provided by Cisco. Additionally, the third-party site in question is currently inactive as a malware repository, so customers are not in immediate danger of having their computers compromised. However, if this third-party web site would become active as a malware repository again, there is a potential that users could infect their operating system by opening the CD with their web browser.

All warranty CDs printed with "Revision -F0" (or later) do not contain references to the third-party website and do not introduce a potential to compromise customers' computers.

This issue was reported to Cisco by William Haisch. Cisco appreciates the opportunity to work with researchers on security vulnerabilities and welcomes the opportunity to review and assist in product reports.

Additional Information

In addition to the content described in the following table, all CDs contain Cisco Information Packet - Cisco Limited Warranty, Disclaimer of Warranty, End User License Agreement, and US FCC Notice. The following Cisco CDs are affected:

Note: CDs shipped prior to August 2011 do not contain revision information (such as "-D0" and "-E0" as listed in the preceding table of affected part numbers).

Although there are no distinguishable markings on the CDs, all warranty CDs shipped in the period of December 2010 through August 2011 do contain a reference to the third-party site. Warranty CDs shipped in August 2011 will have their revision designator printed on them in the form "Revision -X0", where X is a letter denoting the CD revision. Warranty CDs with the revision "-F0" or later do not contain a reference to the third-party website.

All information present on the CDs is available on the Cisco worldwide website. Customers are encouraged to use these links for the most up-to-date information. The following table indicates where the latest content of each CD is located on the Cisco worldwide website.

In addition to obtaining information from the Cisco website, customers can also download ISO images of a CD from the Cisco website. Customers can create a CD from its ISO image file using build-in operating system capabilities or CD creation applications.

The following table provides direct URLs to compressed ISO images of all affected CDs. These ISO images will be available for download until December 2011. After that time these images will be withdrawn and customers can obtain the information from the Cisco website as per the preceding table.

Status of this Notice: Final

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.

Revision History

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.