On 12/30/2013 3:51 PM, Randy Bush wrote:
Clay Kossmeyer here from the Cisco PSIRT.
shoveling kitty litter as fast as you can, eh?
http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20131229-der-spiegel
"The article does not discuss or disclose any Cisco product vulnerabilities."
this is disengenuous at best. from the nsa document copied in der
spiegel and now many other places:
"JETPLOW is a firmware persistence implant for Cisco PIX series and
ASA firewalls ..."
so in cisco kitty litter lingo, what would be "discuss[ing] or
disclos[ing] any Cisco product vulnerabilities? the exploit code
itself?
randy
What is the vulnerability in Cisco product Randy?
That a 3rd party can replace the firmware in your firewall?
There isn't enough information to determine if this is a software
vulnerability triggered with exploit code or wholesale firmware
replacement. The document refers to an implant but not how it gets there.
--
"The first rule of any game is to know that you're in one."
-Sandy Lerner, co-founder, Cisco Systems