Cisco (Nasdaq: CSCO) is reviewing its internal code for possible “back door” vulnerabilities following Juniper’s disclosure that spying code had been uncovered in its firewall products.
Anthony Grieco, senior director of Cisco’s Security and Trust Organization, made the disclosure in a blog post on Monday afternoon.
So far, no vulnerabilities have been found.
Juniper made the disclosure last Thursday, saying an internal audit had found unauthorized code that permitted “secret remote access” in ScreenOS software that is used in firewalls, CompuerWorld noted.
As Network World reported:
“Juniper’s problem is within its Screen OS operating system, which is confined to some Juniper products, but Cisco has been mentioned in speculation about how ScreenOS was corrupted.”
There’s an Edward Snowden link to all this.
“Documents stolen by Edward Snowden said the NSA had backdoored Juniper gear, as well as Cisco gear,” NetworkWorld pointed out.
“Speculation that the unauthorized code Juniper was patching was placed there by the NSA led some to wonder whether the documents’ assertions about Cisco were true.”
The code review was initiated by Cisco and not the result of contact by law enforcement, Grieco wrote.
Security blog at Cisco
Here’s what Grieco wrote:
“Following a recent Juniper security bulletin discussing unauthorized code, we have fielded a number of related questions from our customers. Being trustworthy, transparent, and accountable is core to our team, so we are responding to these questions publicly.
First, we have a “no backdoor” policy and our principles are published at trust.cisco.com
Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:
- Undisclosed device access methods or “backdoors”.
- Hardcoded or undocumented account credentials.
- Covert communication channels.
- Undocumented traffic diversion.
Second, we have no indication of unauthorized code in our products.
We have seen none of the indicators discussed in Juniper’s disclosure. Our products are the result of rigorous development practices that place security and trust at the fore. They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance.
Third, we have initiated an additional review of our products for similar malicious modification.
Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. We are tracking the case as PSIRT-0551621891, and will release any findings in accordance with our Security Vulnerability Policy.
Fourth, we initiated this additional review of our own accord.
Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do.
Finally, we will investigate all credible reports and disclose findings with customer implications.
We ask all our customers and others to report any suspected vulnerabilities to the Cisco PSIRT for immediate investigation. Consistent with our long-standing process, we will manage and disclose results under the terms of our Security Vulnerability Policy.
Please see more information at our Trust & Transparency Center. Customers with additional questions can contact the Cisco PSIRT at psirt@cisco.com, referencing case: PSIRT-0551621891.
Cisco operates one of its largest corporate campuses in RTP.
Read more at:
http://blogs.cisco.com/security/update-for-customers
