Why Cisco doesn’t disclose flaws for months after it patches them

Cisco explains why it fixes some security flaws months before telling customers a patch is available. 

Cisco’s recently patched and extremely dangerous Adaptive Security Appliance (ASA) bug brought attention to a peculiarity about its security advisories. Unlike Microsoft or Apple, whose patches generally coincide with an advisory explaining it and its impact, Cisco customers can get fixes weeks and possibly months before it tells them about it in an advisory. 

As one admin discovered after Cisco disclosed an ASA bug in January, the company had actually plugged the hole in some of releases of the affected product 80 days before it warned admins a patch was needed and why. 

In that instance, the advisory was published two days before the NCC Group researcher who found it was set to give a presentation about the bug, which affected multiple ASA major releases and required different courses of actions depending on the release. 

The admin’ asked whether customers should accept Cisco apparently withholding crucial information about an already available fix, causing admins to rejig patching priorities at the last minute when action could have commenced weeks before. More transparency was needed from Cisco, the admin argued. 

Cisco again released fixes for some versions of its DNA Center software months before it disclosed the critical flaws this May.   

Attention on Cisco’s disclosure practices came amid concerns over Russian hackers exploiting default configuration in Cisco Smart Install software to attack organizations in the US and Australia.  

Cisco today said customers frequently ask its Product Security Incident Response Team (PSIRT) why fixes are available for several months before the vulnerability itself is publicly disclosed, which the company defended the practice on the grounds of responsible disclosure. 

"There have been some questions as to why creating fixes and releasing updates can take several weeks, or sometimes even months, before an advisory is published," writes Lou Ronnau, a member of Cisco’s Customer Assurance Security Programs team.

First, fixes need to be available for all affected versions before it can disclose a “high” or “critical” bug. At the same time, it releases fixed versions as soon as possible, so as not to hold them up for simultaneous publication, which means some customers patch without knowing why. 

“If we disclosed the vulnerability after only fixing one release, we would unnecessarily expose all customers running other releases to potential exploitation once details about the attack itself became public,” says Ronnau. 

He points out that Cisco can have as many as 50 different affected versions of a single product to fix. In the case of the ASA flaw, there were 10 major releases affected, each with a different mitigation strategy. DNA was first released in 2018 with only a few versions available. 

Cisco operations also use “code trains” that help it deliver various releases with the same code base, which impacts its more well-established software, such as IOS, NX-OS, IOS-XE that run on numerous physical and virtual platforms. 

In other words, Cisco faces complexity that isn’t apparent to admins when it needs to patch a broad product portfolio on the same train.

The company aims to provide patches for all platforms before disclosing a vulnerability but “implementing the fix into each supported code train for each supported platform will often affect the speed at which vulnerabilities can be remediated for any given platform”, according to Ronnau.

Cisco however will break from standard disclosure procedures if the flaw becomes public, it discovers a flaw will become public, or if it has evidence it has been exploited. 

Cisco details its policy on responsible disclosure here.