Cisco published a set of IOS security vulnerabilities this afternoon, marking the first announcement day of its new disclosure schedule. Earlier this month Cisco had announced it would simplify its IOS security advisories by only publishing them on the fourth Wednesday in March and September each year. However, they claim advisories concerning a vulnerability for which exploit code is in the wild will not be held to this cycle.
The advisories published today include:
- Cisco IOS Virtual Private Dial-up Network Denial of Service Vulnerability
- Multiple DLSw Denial of Service Vulnerabilities in Cisco IOS
- Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers
- Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor 32, Supervisor 720, or Route Switch Processor 720
- Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
Network engineers in the community have expressed opinions both for and against Cisco's new publication schedule. Personally, I think it's ridiculous and naive to attempt to schedule security in any manner. A vulnerability should be resolved and published as soon as possible; intruders don't wait to attack when it's convenient for you.