cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2885
Views
5
Helpful
3
Replies

Security issue with SPA1x2/SPA232D ?

Dan Lukes
VIP Alumni
VIP Alumni

Just few days ago, the new firmware version 1.3.2(XU) has been released for both SPA1x2 and SPA232D.

Release Notes claim the only change - SRTP is removed. No further details about the issue solved by it. No details mean severe bug in most cases. Cisco is not publishing new releases just for fun.

Not to disclose issues with particular firmware is bad practice in all cases as undisclosed issue may hurt any particular customer. But in the case of security related features, like SRTP, it's just unacceptable. A chinese company selling cheap crap for few cents may try to hide the problems and put it's customer in risk. I'm expecting no such approach from the Cisco.

So - should I assume there is a severe bug in SRTP implementation ? Is SRTP implementation in pre-1.3.2(XU) firmware reliable and secure, or should I forgot the SRTP at all ?

1 Accepted Solution

Accepted Solutions

laharper
Community Member

Hello Dan,

Firmware releases that have the "XU" designation in the filename are identical in every way with the matching firmware version except for the removal of the SRTP functionality.

SRTP cannot be configured (from the web-based GUI) nor can it be remotely provisioned via a downloadable xml parameter in the configuration file on products that are running the XU firmware.

Advanced encryption capabilities are not permitted in specific markets where Cisco ATAs and Voice Gateways are sold, however the XU firmware is permitted on units ordered for those regions.

We publically post shipping firmware for our products and all future maintenance releases will be posted with an XU firmware version along with a description of the differences in the release notes.

Thank you,

Lance Harper

Cisco Systems, Inc.

View solution in original post

3 Replies 3

laharper
Community Member

Hello Dan,

Firmware releases that have the "XU" designation in the filename are identical in every way with the matching firmware version except for the removal of the SRTP functionality.

SRTP cannot be configured (from the web-based GUI) nor can it be remotely provisioned via a downloadable xml parameter in the configuration file on products that are running the XU firmware.

Advanced encryption capabilities are not permitted in specific markets where Cisco ATAs and Voice Gateways are sold, however the XU firmware is permitted on units ordered for those regions.

We publically post shipping firmware for our products and all future maintenance releases will be posted with an XU firmware version along with a description of the differences in the release notes.

Thank you,

Lance Harper

Cisco Systems, Inc.

It's satisfactory and calming explanation. Thank you.

But it raise question related to conditional operator in Profile_Rule and Upgrade_Rule configuration  like

($SWVER ne 1.3.2)?htps://.../SPA112_132_14.bin

Will be the 1.3.2(XU) version considered different from non-XU version for the purpose of eg and ne operators ? And what about gt/ge/lt/le operators ? Will XU pseudoversion be considered newer or older than 1.3.2(014) ?

Hm, I tried it. Now I understand why I got no response to my second question.

Version-style conditional expressions don't work on XU image.

I assume that ad-hoc solution has been selected, but consequences of selected solution has not been evaluated. How it is possible that someone decide to change format of version string but forgot to modify routines that parse it accordingly ?

Well, it may happen. There is beta testing and QA testing to catch bugs like it.

Do you have Cisco a set of test that the new firmware needs to pass before release, isn't it ? Hard to imagine that such set contain no even one simple test related to conditional expressions ...

Isn't the right time to consider that firmwares should be tested before release ?