Document ID: 37486
Last Updated on 2013 December 30 23:25 UTC (GMT)
For Public Release 2013 December 29 19:17 UTC (GMT)
Status of this Notice: Final
Cisco Security Procedures
Cisco ResponseOn December 29, 2013, the German news publication Der Spiegel published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article:
The article discusses Cisco products, but does not discuss or disclose any specific vulnerabilities (old or new). Cisco is seeking additional information and will pass along what we learn.
Cisco's Chief Security Officer John Stewart addressed the article in a blog post: Comment on Der Spiegel articles about NSA TAO Organization
On December 30, 2013, the German news publication Der Spiegel published additional information regarding the alleged creation of implants for some of the Cisco PIX and Cisco ASA platforms. The Cisco Product Security Incident Response Team (PSIRT) has opened an incident to investigate the situation. The incident ID is PSIRT-1384943056. We will communicate our findings through our standard security disclosure process.
Additional InformationCisco has requested, but has not yet received, the leaked documents referenced in the Der Spiegel article.
Cisco will investigate all reports of security vulnerabilities in our products in accordance with our Security Vulnerability Policy.
As is stated in the Product Security and Integrity section of our Security Vulnerability Policy, Cisco development policies prohibit any product behaviors that weaken the security posture of a Cisco device.
Cisco recommends that all customers sign up to receive notifications regarding Cisco product vulnerabilities and implement a proactive software upgrade or patching strategy. While awareness of software vulnerabilities is a key component in securing network infrastructure, the best plan to secure networking devices requires a multi-faceted approach that includes active and robust network monitoring, configuration hardening, and protection of device credentials.
Cisco has numerous resources available that provide network design and operational guidance to help customers in building secure networks. Some examples are linked below, but many others are available on the Cisco website for a wide range of Cisco products.
- Cisco Guide to Harden Cisco IOS Devices
- Cisco Guide to Harden Cisco IOS XR Devices
- Cisco Guide to Securing Cisco NX-OS Software Devices
- Service Provider Security Best Practices
- Design Zone for Security
Status of this Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
|Revision 1.2||2013-December-30||Updated the Cisco Response section to clarify that the article does not discuss or disclose any specific vulnerabilities.|
|Revision 1.1||2013-December-30||Updated the response as more specific details about the allegedly affected Cisco platforms was disclosed.|
|Revision 1.0||2013-December-29||Initial public release.|