Security Experts:

Cisco Introduces New Vulnerability Disclosure Format

Cisco has announced a new and more streamlined format for disclosing security vulnerabilities in an effort to make it easier for network administrators to prioritize their response.

Up until now, critical and high severity vulnerabilities were detailed in Cisco Security Advisories, while medium and low severity issues were documented in Cisco Security Alerts. The networking giant wants to make it easier for customers to access information on vulnerabilities in its products so it has decided to merge all security advisories and alerts, regardless of their severity, into Cisco Security Advisories.

Based on feedback from customers, Cisco has made the security advisory listing page easier to navigate and it has simplified the process of searching for specific advisories. The advisories themselves have also been made easier to read, and updates to existing advisories are now more apparent.

In addition to classifying vulnerabilities based on their CVSS, Cisco has introduced a Security Impact Rating (SIR) system that rates flaws as having critical, high, medium or low severity based on their CVSS score. The SIR has been made highly visible in each advisory.

“Our goal in introducing this new security vulnerability disclosure document format is to better inform customers about security vulnerabilities in a consistent and transparent way,” said Omar Santos, principal engineer at Cisco’s product security incident response team (PSIRT).

Advisories have also been made available in the Common Vulnerability Reporting Framework (CVRF) format, a security automation standard that provides a common language for exchanging vulnerability advisories. New RSS feeds have been added for the CVRF format and for Open Vulnerability and Assessment Language (OVAL) content related to security holes in IOS software.

John Stewart, who leads Cisco's Security and Trust Organization, revealed in a blog post on Monday that the company also plans on rolling out an API to help customers automate vulnerability assessment and empower them to customize security flaw notifications.

Cisco advises customers to check out the company’s Security Vulnerability Policy for additional details on receiving threat, vulnerability and mitigation information, and to find out more about its vulnerability management process.

On Monday, Cisco also published a couple of advisories detailing newly disclosed vulnerabilities affecting the Aironet 1850 Series Access Point device and the RADIUS client feature in IOS software.

According to the company, Aironet 1850 devices are plagued by a vulnerability that allows a local, authenticated attacker to elevate privileges (CVE-2015-6315). The RADIUS client is affected by a denial-of-service (DoS) vulnerability that can be exploited by a remote, authenticated attacker to cause devices to reload (CVE-2015-6263). Cisco has released software updates to address both flaws.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.