Document ID: 37486
Last Updated on 2014 March 13 18:56 UTC (GMT)
For Public Release 2013 December 29 19:17 UTC (GMT)
Status of this Notice: Final
Cisco Security Procedures
Cisco ResponseOn December 29, 2013, the German news publication Der Spiegel published an article referencing leaked documents from the U.S. National Security Agency (NSA) that mentioned "software implants" for networking devices. Cisco is one of a number of technology companies mentioned in the article:
On December 30, 2013, the Cisco Product Security Incident Response Team (PSIRT) opened an incident to investigate the alleged creation of implants for some Cisco PIX and Cisco ASA platforms.
Cisco formally requested additional information about these allegations from both the United States Government and the German news publication Der Spiegel. No further details were provided.
The Cisco PSIRT led a comprehensive evaluation of the Cisco ASA platform, working closely with the company’s engineering, support, and supply chain organizations around the world. The Cisco ASA platform was the primary focus, as the Cisco PIX platform has reached End of Support.
The investigation (PSIRT-1384943056) reviewed Cisco’s development and supply chain procedures, historical customer support data for ASA and PIX platforms, and operational data from devices installed in various production networks in different parts of the world.
Advice from internal and external industry experts was used to create and implement different test scenarios focusing on the Cisco ASA platform’s BIOS, operating system, and applications. Cisco professionals from around the world conducted tests of every existing model of the Cisco ASA family.
No evidence of any procedural irregularities or tampering of the BIOS, operating system, or applications was revealed. As a result, Cisco PSIRT has now closed this investigation.
Cisco is continuing to develop capabilities to allow customers to perform integrity checking of Cisco ASA platforms. Once complete, these capabilities will be integrated into Cisco ASA software as part of the normal Cisco product release process.
As part of Cisco’s ongoing commitment to customers, all products are subjected to regular penetration testing and security evaluations. Findings through testing, inspection will be communicated in accordance with our security vulnerability policy. These vulnerabilities may be discovered as part of internal testing, or reported to Cisco by customers and other external parties.
As always, Cisco recommends security and industry best practices including:
- Ongoing patch management to address defects and software vulnerabilities.
- Protection of administrative credentials and physical access for network devices.
- Conduct pervasive network monitoring and analysis of network telemetry.
Additional customer information on security best practices can be found at: http://tools.cisco.com/security/center/intelliPapers.x?i=55
Additional information is also available on Cisco's secure development lifecycle and industry-leading supply chain operations.
Customers who observe any suspicious or malicious activity through network management practices are encouraged to engage their normal support programs and escalate to Cisco PSIRT. Instructions for engaging Cisco PSIRT can be found in our public security vulnerability policy.
Status of this Notice: Final
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors.
|Revision 2.0||2014-March-13||Cisco PSIRT investigation closure.|
|Revision 1.2||2013-December-30||Updated the Cisco Response section to clarify that the article does not discuss or disclose any specific vulnerabilities.|
|Revision 1.1||2013-December-30||Updated the response as more specific details about the allegedly affected Cisco platforms was disclosed.|
|Revision 1.0||2013-December-29||Initial public release.|