Posted by on
Categories: Cisco

A sysadmin has criticized @Cisco for releasing software that fixed a high-severity bug 80 days before telling customers just how dangerous it was. As @ZDNet reported this week, Cisco published an advisory that detailed a bug in its Adaptive Security Appliance (ASA) software with a CVSS score of 10 out of a possible 10. ASA devices with the webvpn feature enabled could be owned by a remote attacker, Cisco warned. Cisco’s advisory also included a table showing which versions of ASA were affected and the first release that had a fix. It was not immediately clear from Cisco’s table when it released the first fixed version.  However, Colin Edwards, a system administrator, filled in the blanks in his own table with the release date for fixed versions of ASA, which shows Cisco actually rolled-out its first fixed version way back on November 10. As Edwards points out, Cisco decided to fix a super-critical bug in some products but then waited 80 days before it told sysadmins they needed to update now. “Eighty days. Eighty days is the amount of time that passed between the earliest software version that fixed the vulnerability being released, and the advisory being published. Eighty days.”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.