Re: Addressing Cisco Security Issues
I have had a similar run-around with AT&T Broadband and Sprint a while back,
pertaining to a DoS
attack my organization was experiencing. Not to dive into details, to resolve
the issue, I got
them both on the line in a 3-way conversation, and it was taken care of in less
then 5 minutes.
They didn't seem to eager to shrug off the responsibility to someone else, when
that someone else
was right there on the phone.
Jason Dodson
--- "Geo." <geoincident1@xxxxxxxxxxx> wrote:
> I have to post this because I consider this to be a security issue in it's
> own right.
>
> Recently there were a number of exploits released for cisco equipment, among
> the affected equipment were the 677 and 678 consumer DSL routers of which
> there are millions in use.
>
> I have one such router, the DSL circuit is provided by Alltel and I work for
> the ISP who provides the actual internet access.
>
> So upon reading recent warning notice sent to the security email lists about
> the exploits being publicly available I went and read
> http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much says
> any router running a version of CBOS prior to 2.4.5 (actually you need 2.4.6
> because of later exploits) is vulnerable.
>
> So like a good netizen I contacted cisco TAC via telephone, gave them my 678
> serial number and they informed me that they could not provide the security
> update because my router is registered to alltel (alltel did provide the
> router when I ordered the DSL circuit), please call Alltel to get it. Ok so
> then I called Alltel, who told me no problem we can email you the update and
> asked for my email address. Except since Alltel is not the ISP I don't have
> an alltel email address so then they won't email it to me, please contact
> your ISP. I then informed Alltel that I AM MY ISP to which they replied they
> still could not provide the patch and that I would have to get it from
> Cisco.
>
> So then I call Cisco TAC again, this time I explain the full details of all
> I've just been thru and the tech decides to ask someone. Comes back and says
> if I register on the cisco website that he can open a ticket and get someone
> to call me back on it. (I'm presently waiting for that call)
>
> In the mean time I decided to google for it and low and behold I found 2.4.6
> on a website (url not posted to protect the life saving individuals who put
> it on the web). Now of course I've no way to know if this version I just
> found is safe or not but HELLO CISCO???
>
> If you are going to issue security alerts that require ISP's and consumers
> to patch their hardware devices then you had better damn well make sure that
> folks can actually GET THE PATCHES. It would require no effort at all to
> post a bogus version full of back doors and whatnot on the web and after
> seeing the nightmare it is to obtain the patch thru official channels it's
> clear to me that this would be a very popular download.
>
> Geo.
>
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html