SECURITY

Obtaining Information on Security Issues Related to SISCO’s Products

SISCO is committed to providing products that are secure, robust, and cost-effective. This web page is provided as a service to our customers and their users to enable them to obtain information about known security vulnerabilities that may exist in SISCO’s products.

Existing Customers
If you are an existing SISCO customer with an active support and maintenance contract, you can log in to the SISCO Customer Portal and obtain detailed release notes on the products you have licensed. If you need security-related information on any other SISCO products please contact our technical support staff and they will be glad to help you.

Previous Customers
If you are a previous customer that had licensed a SISCO software product in the past, either directly, through a value added reseller (VAR), or via a system integrator; but you do not have a current support and maintenance contract, you can still obtain information about known security issues related to the SISCO products that you have by making a request via the following procedure:

  1. Contact SISCO’s Security Response Team via email, Fax (+1-586-254-0053), or via phone (+1-586-254-0020). If preferred, you can use secure email for correspondence regarding security issues by using SISCO’s PGP key for secure email.
  2. Be sure to include all of the following information in your request:
    • Your Complete Name and Job Title
    • Your Company Name
    • Company mailing/street address
    • Telephone, fax, and email
    • Serial Number of the SISCO product. This is located on the CD or USB dongle (if applicable). If you don’t have the CD please provide any useful information that will enable SISCO to confirm that you have a valid product license. Purchase order numbers, dates of delivery, invoices, etc.
    • Version number of the product. You can obtain this from the CD or by looking at the Help|About screen on the product itself. If you are using the Help|About screen to get the version information please be sure to obtain the version number from the product itself and not from any clients that might be communicating with that product.
    • If the product was not purchased directly from SISCO please provide the name of the company from whom the product was purchased.
  3. SISCO will only use this information to confirm the validity of the license and will only retain this information to keep accurate records of your valid license here at SISCO. Your information will never be shared with any third party without your consent.
  4. After validating your license a member of SISCO’s Security Response Team will contact you with information about any known security issues with that software. Depending on the circumstances, updates may be made available to you for mitigation. You will also be encouraged to reinstate the support and maintenance service on that product. DO NOT APPLY UPDATES WITHOUT FIRST ADEQUATELY TESTING YOUR SYSTEM TO DETERMINE THE IMPACT OF THE UPDATE.

SISCO does not provide detailed technical information of any kind (security-related or otherwise) on our products to anonymous or unknown persons. People submitting requests for technical information using anonymous or generic ISP email accounts will be asked to provide more detailed identifying information before SISCO will be able to respond with the requested information.

End Users of Embedded Products
If you are an end-user that has obtained a license to a SISCO software product through an independent software vendor (ISV) that has embedded SISCO software into a product that you purchased from that ISV, it is recommended that you contact the ISV directly for all security-related information. Most ISVs use SISCO software in the development process of their own products or include other non-SISCO software components in their product deliverables. In both of these cases, this will have a significant impact on the applicability of a given security issue in SISCO’s software to your own installation. Only your ISV will be able to advise you as to the applicability of a given security vulnerability to your specific circumstances. SISCO is not able to help you make this determination.

IT IS CRITICAL THAT ALL END USERS OF EMBEDDED PRODUCTS CONTACT THE ISV DIRECTLY TO DETERMINE THE IMPACT OF APPLYING ANY UPDATES TO YOUR SYSTEMS BEFORE APPLYING SUCH UPDATES. Only your ISV will be able to advise you regarding the compatibility of updates that SISCO can provide with the specific configuration of your system.

End-users of a software product that contains a license to a SISCO software product embedded by an ISV can obtain security-related information on the SISCO products that they have obtained from the ISV by making a request via the following procedure.

  1. Contact SISCO’s Security Response Team via email, Fax (+1-586-254-0053), or via phone (+1-586-254-0020). If preferred, you can use secure email for correspondence regarding security issues by using SISCO’s PGP key for secure email.
  2. Be sure to include all of the following information in your request:
    • Your Complete Name and Job Title
    • Your Company Name
    • Company mailing/street address
    • Telephone, fax, and email
    • Serial Number of the SISCO product. This is located on the CD or USB dongle (if applicable). If you don’t have the CD please provide any useful information that will enable SISCO to confirm that you have a valid product license. Purchase order numbers, dates of delivery, invoices, etc.
    • Version number of the product. You can obtain this from the CD or by looking at the Help|About screen on the product itself. If you are using the Help|About screen to get the version information please be sure to obtain the version number from the product itself and not from any clients that might be communicating with that product.
    • Operating system version and computing platform of the product.
    • The name of the ISV and the name of the ISV product in which the SISCO product is embedded.
  3. SISCO will only use this information to confirm the validity of the license and will only retain this information to keep accurate records of your valid license here at SISCO. Your information will never be shared with any third party without your consent. SISCO may need to contact your ISV. Please indicate in your request if you DO NOT wish SISCO to discuss your inquiry with the ISV.
  4. After validating your license a member of SISCO’s Security Response Team will contact you with information about any known security issues with that software. You will need to contact your ISV for obtaining updates in most circumstances. If you need an update direct from SISCO, additional information may be required. DO NOT APPLY UPDATES WITHOUT FIRST ADEQUATELY TESTING YOUR SYSTEM TO DETERMINE THE IMPACT OF THE UPDATE.

SISCO does not provide detailed technical information of any kind (security-related or otherwise) on our products to anonymous or unknown persons. People submitting requests for technical information using anonymous or generic ISP email accounts will be asked to provide more detailed identifying information before SISCO will be able to respond with the requested information.

Reporting Security Issues Related to SISCO’s Products
SISCO is committed to a process of continuous improvement on our products. SISCO is very interested in all feedback from customers, users, and security researchers with information on usability, bugs, vulnerabilities, and suggestions for improvements. For best service, all existing customers should report any technical support issues, whether they are security-related or not, via SISCO’s technical support contact. If you have non-security-related feedback regarding SISCO’s products you can do this via SISCO’s technical support contact or by sending an email to SISCO’s general information email address.

If you need to report a security vulnerability please follow the following procedure:

  1. Contact SISCO’s Security Response Team via email or Fax (+1-586-254-0053), or via phone (+1-586-254-0020). If using email for reporting security vulnerabilities it is highly recommended that you use SISCO’s PGP key for secure email.
  2. Be sure to include all pertinent information in your request:
    • Your Complete Name and Job Title
    • Your Company Name
    • Company mailing/street address
    • Telephone, fax, and email
    • Product number and version number of the SISCO product at a minimum. Depending on the specific kind of vulnerability being reported SISCO may also request the product serial number.
    • If the SISCO product was tested with an ISV product or other third-party products, please identify these third parties by company name and include as much information about these other products as practical.
    • Please include all available information regarding the nature of the vulnerability including log files, behavioral descriptions, screenshots, packet captures, dump files, etc. If the files are too large to be practical for email or fax please inform SISCO so we can provide you with FTP access.
    • Please inform us if any SISCO customers are currently being impacted by the reported issue.
  3. If you do not get an acknowledgment within 2 business days of sending a report please contact us again. If you have difficulties reaching us via email or fax please phone the operator at +1-586-254-0020. If you are not receiving any acknowledgment from SISCO it means that we did not receive your report. We prefer that you use email or fax to submit the actual reports and use the phone only for coordination and confirmation. Although SISCO may take action, SISCO will not acknowledge reports received from anonymous, pseudonymous, or other unidentifiable sources.

What is a Security Issue or Vulnerability?
While there might be some disagreement among reasonable people as to the difference between a security vulnerability and a “normal” software bug, SISCO is interested in receiving reports of bugs and vulnerabilities regardless of how you classify them. ANY conditions that cause SISCO’s software products to behave abnormally in a manner that might disrupt data exchange or affect the integrity of the data being exchanged should be treated very seriously and reported to SISCO immediately via the procedure described above.

Existing Security Advisories
Below are publicly known existing vulnerabilities in SISCO software including the date of the last known update to their status. Links are provided below for public disclosures if the links are known. Please inquire about other issues per the procedures described above. SISCO routinely documents all changes that we have made in our products in the release notes for those products and this information is provided to anyone purchasing our products or receiving an update to our products. Some of these changes may be bug-related while others result from customer suggestions and product improvements. While we try to be explicit in our descriptions, some of those changes may not be identified explicitly as security vulnerabilities. If you have a question about a specifically known security vulnerability please include that information when making an inquiry. SISCO does not publicly disclose security vulnerabilities without first attempting to notify customers and users prior to public disclosure and providing them reasonable time to apply updates. If you are unsure of the applicability of a notice to your system please contact SISCO as described above and we will make every attempt to provide you the information you need to determine how any of these issues will affect your systems.

  1. Portcullis Vulnerability CVE-2015-6574 affecting some versions of MMS-EASE and AX-S4 ICCP – 26 April 2016
  2. Heartbleed Impact on SISCO Products   – 15 April 2014
  3. Vulnerability in Windows Common Controls (MS12-060) describes a vulnerability in Microsoft Common Controls used by SISCO’s software that may not get updated during the Windows Update Process.  UPDATED: 21 April 2016
  4. US Cert Vulnerability 145825 regarding SISCO OSI stack used in MMS-EASE, ICCP Toolkit for MMS-EASE, AX-S4 ICCP, and AX-S4 MMS – 17 January 2007
  5. NESSUS Security Issue – 25 February 2005

SISCO Public PGP Keys
SISCO has created a new public PGP key to incorporate best practices as compared to what was used in 2006 to create the previous public key. These public keys can be used to send encrypted messages to SISCO’s security staff and to validate the signatures that are posted on the download portal for software updates that are posted there. The original public key and the new public key are provided below:

  1. New SISCO Public Key for any communications or signatures on or after 15 November 2018:  New SISCO PGP Key
  2. Old SISCO Public Key for signatures posted prior to 15 November 2018: Old SISCO PGP Key