Ecessa Security Vulnerability Policy and Notices

At Ecessa, we take our clients’ network security very seriously. 

Ecessa solutions are in integral part of your network and must meet or exceed all aspects of your corporate security requirements, policy, and reputation. This security vulnerability policy was created to explain how we are making sure that your solutions are secure and meet new and increasingly stringent testing standards. We take this responsibility seriously and look forward to your feedback. To view this document in PDF format, click here.

AWARENESS

Ecessa’s internal team actively monitors the forums that are most relevant to our solutions.  Every Ecessa product is an x86 based industrial computer running Gentoo Linux.  We monitor the Gentoo Security Database (https://security.gentoo.org/) and the NIST National Vulnerability Database (https://nvd.nist.gov/home.cfm) on a monthly basis to determine what new threats are reported.

Our team also monitors relevant social media forums like Twitter, LinkedIn, Facebook, and Google+ daily for mention of any new threats or trends in our industry.  New alerts are captured as a new task in Jira, our internal development environment, for our teams to review, assign, and escalate.

ASSESSMENT

Ecessa has an internal, automated testing platform designed to determine if and how each security vulnerability impacts our software code base.  First we port the latest security vulnerability code from the Gentoo Linux community, then we load this into our Jenkins automated test platform and execute all tests.  The results from this screening output a threat report that indicates if any items affect our software, which ones, and in what way.  This report is then reviewed by the development team and any relevant issues are then capture in Jira and assign for a comprehensive team review.

MITIGATION

After the reviews are complete and the threat is verified to impact the Ecessa software code base, our team investigates a solution; this includes understanding the specifics of the threat, the impact on our features, how broadly it impacts our code and kernel, and the best way to mitigate it.  Depending on the severity, impact, complexity, and risk the team will generate short and long-term options for customers.  These options may be limited to communications, indicating a low risk or impact, or be immediate software code updates and release to resolve critical or high-risk issues.  All software design information associated with the vulnerability and how to mitigate it are updated in the Jira tool.

COMMUNICATION

Ecessa has several ways to communicate with our install base customers, new clients, and partner groups. Each communication path is provided to accommodate different communication needs, styles, details, and frequency. Below are the three levels of communication.

  • Public
    One-time notices are published to the following medium at time of mitigation completion; general public can also see additional content listed below:

    • Ecessa main website (www.ecessa.com/security)
      • Security
        • Policy
        • Latest threats
        • Alerts and recommendations
    • Ecessa Support website (http://support.ecessa.com)
      • Announcements
        • Articles on specific CVE threats
        • Links to FAQs
        • Links to mitigation steps
  • Install BaseDevice
    • Graphic User Interface (GUI) notifications
      • Alerts for users when new versions of software are available for upgrade
        • Each software revision has release notes that indicate which CVE is addressed and how it corrects the issue.
    • Cloud View Alerts (Available in Q4 2016)
      • Alerts can be configured through the Ecessa Cloudview web application
        • Each CVE that potentially impacts Ecessa products, features, or functions will have a message that details impact, mitigation, and next steps for customers.
  • Partners
    • Public Alerts (detailed above)
    • Install Base Alerts (if applicable)
    • E-mail Alerts
      • Partners can opt-in to an e-mail alert program with Ecessa. We will send the same information provided in other locations within a single, direct e-mail.
          • E-mails are sent at the same time public alert information is released.
          • E-mail addresses are maintained within our Customer Relations Management (CRM) tool.
          • Partners can request inclusion to this list by sending an e-mail to any of the following:
            voc@ecessa.com
            msiegler@ecessa.com
          • Partners can also request inclusion by filling out the form below.

FEEDBACK

Ecessa has a philosophy of continuous improvements; we are looking to make our products, processes, and experience better each day. To accomplish this, we have a formal Voice of Customer (VoC) process that is open to all customers and partners (voc@ecessa.com). This is also used for us to improve our security vulnerability process and fine tune it for our customers’ ever- changing needs. Please provide feedback at that e-mail for specifics on this policy or other Ecessa features and products – thank you.

Want to be the first to know about security threats?

NOTICES

CVE-2016-0800 – DROWN – Cross-protocol attack on TLS using SSLv2
Ecessa software versions 10.2.24, 10.4.6 and newer, all versions of 10.5, and all versions of 10.6 are not vulnerable to this issue. Both SSLv2 and SSLv3 ciphers are disabled and could not be used to exploit this vulnerability. Read more >>

CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
This vulnerability is caused by stack-based buffer overflows that can be triggered via a crafted DNS response when performing dual A/AAAA DNS queries. The vulnerability of the Ecessa device is only through DNS queries the Ecessa device itself makes, not through DNS traffic routed by the Ecessa device. Our testing has confirmed that some functions in the Ecessa software are vulnerable to this exploit and an update addressing the issue is planned for release 10.7 later this year. In the meantime, it is possible to disable the ability of the Ecessa device to make DNS queries. Read more >>

GNU Bourne Again Shell (Bash) ‘Shellshock’ Vulnerability (CVE-2014-6271, CVE-2014-7169)
This vulnerability is fixed in Ecessa software versions 8.4.27, 9.2.24, 10.2.22, 10.3.13, and 10.4.3. Ecessa recommends upgrading to one of these versions as soon as possible. In the meantime, if you would like to restrict access to the Ecessa devices, instructions are available. Read more >>

Contact, Connect, Continue

Let our team of experts find the right solution for you.
Fill out our simple form and we’ll take it from there.