cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
458
Views
5
Helpful
1
Replies

Code base in IOS vs IOS S

dagarcia7193
Level 1
Level 1

Hello,

My question seems simple in nature, but I cannot seem to get a good answer anywhere. I am trying to document all CVEs that relate to a  given release of IOS (IOS 12.2 (40) SE in particular). After using Cisco's tool to find CVEs relating to that release I was left wondering if an unpatched IOS 12.2 40 SE would be vulnerable to more recently found  vulnerabilities (with CVE numbers in NIST database) due to a shared code base. The only documention I could fins was the CiscoIOS Softweare Reference Guide (ver 1.0 OCT 2012) that mentioned all IOS S  variants sharing a code base.   My gut tells me that the code base is similar if not the same to mainline IOS, just with added functionality, so therfore new vulnerabilities with associated CVE would probably apply to 12.2SE as well provided it remained unpatched.    

Please anybody with any insight into this, your comments would be more than welcome at this point, I'm pretty sure I've searched the entire internet.

Thanks,

~Dave

1 Reply 1

Philip D'Ath
VIP Alumni
VIP Alumni

I don't know the answer.

Let me warn you that sometimes the special fixed releases for CVE's can be worse (due to bugs) than the original CVE.  A good example of this was the recent ASA "fixes".

I try to wait for the next general release, that has had proper testing, than rushing to install a patch for a CVE that has a 1 in a 10 million chance of being exploited.