[IP] Security researcher quits job and blows whistle on Cisco's fatal flaws
-----Original Message-----
From: "Robert J. Berger"<rberger@xxxxxxx>
Sent: 7/28/05 1:49:03 PM
To: "Dave Farber"<dave@xxxxxxxxxx>, "Dewayne Hendricks"<dewayne@xxxxxxxxxxxxx>
Subject: Security researcher quits job and blows whistle on Cisco's fatal flaws
[This article and the one it points to has more info on the situation
and more of a perspective from the whistleblower - Rob ]
Security researcher quits job and blows whistle on Cisco's fatal flaws
posted by Cory Doctorow at 10:43:45 PM
http://www.boingboing.net/2005/07/27/security_researcher_.html
Michael Lynn is a security researcher who worked at the security
firm ISS until yesterday. Now he's under a restraining order
from Cisco, arising from his disclosure of critical flaws in
Cisco's routers that threaten the world's information
infrastructure. Lynn had found a buffer overflow exploit that
lets an attacker take absolute control over Cisco routers. He
sent the details to Cisco in April, but they still have not
fully repaired the vulnerability. Since many of the world's key
routers are supplied by Cisco, this means Cisco's foot-dragging
places large parts of the world's information infrastructure at
grave risk of collapse.
Lynn proposed to disclose this vulnerability at Black Hat, the
respected Las Vegas security conference. Cisco threatened to
sue, claiming they were defending their "intellectual property."
The conference and Lynn's employer agreed to yank the
presentation, and Cisco employees spent eight hours ripping
Lynn's research out of the printed program books before they
were handed out to attendees. Lynn agreed to give a different
talk.
Then, fewer than two hours before his presentation, Lynn
announced his resignation from ISS. He got up on stage and
delivered his original presentation. Cisco went ballistic and
got a restraining order against Lynn and the conference
forbidding them from further discussing this.
This SecurityFocus article is amazing -- the gutsy quotes from
Lynn in particular are inspiring. This guy is my new hero.
"I feel I had to do what's right for the country and the
national infrastructure," he said. "It has been confirmed
that bad people are working on this (compromising IOS). The
right thing to do here is to make sure that everyone knows
that it's vulnerable..."
Lynn outlined a way to take control of an IOS-based router,
using a buffer overflow or a heap overflow, two types of
memory vulnerabilities. He demonstrated the attack using a
vulnerability that Cisco fixed in April. While that flaw is
patched, he stressed that the attack can be used with any
new buffer overrun or heap overflow, adding that running
code on a router is a serious threat.
"When you attack a host machine, you gain control of that
machine--when you control a router, you gain control of the
network," Lynn said...
"It is especially regretful, and indefensible, that the
Black Hat Conference organizers have given Mr. Lynn a
platform to publicly disseminate the information he
illegally obtained," [CIsco] said in a statement. "We
appreciate the cooperation we have received from ISS in
this matter. We are working with ISS to continue our joint
research in the area of security vulnerabilities..."
In the latest case, ISS and Lynn contacted Cisco in April
to report their process for using a vulnerability in IOS to
run a program on a Cisco router. The networking fixed the
vulnerability in the operating system, but did nothing to
prevent attackers from running programs on the devices
using the broad techniques Lynn described, the researcher
said.
During his presentation, Lynn outlined an eight step
process using any known, but unpatched flaw, to compromise
a Cisco IOS-based router. While he did not publish any
vulnerabilities, Lynn said that finding new flaws would not
be hard...
"What I just did means that I'm about to get sued by Cisco
and ISS," Lynn said, joking later that he may be "in
Guantanamo" by the end of the week...
"What politicians are talking about when they talk about
the Digital Pearl Harbor is a network worm," he
said. "That's what we could see in the future, if this
isn't fixed."
Link http://online.securityfocus.com/news/11259 (Thanks,
Pablos!)
Update: James sez, "I am a source close to Mr. Lynn.
"Things to note: Lynn and ISS contacted Cisco about this
vulnerability in April and it was fixed. Vulnerable versions are
no longer available from Cisco. Cisco and ISS both initially
support Lynn's presentation at Black Hat. Cisco had, initially,
commited to sending a representative to corraborate Lynn's
findings. Lynn had been planning to give this presentation since
then, which was months in advance, with the consent of both ISS
and Cisco.
"On Monday before the conference Cisco and ISS decided to pull
the presentation with vague reasons given. This prompted the
actions by Lynn on Wednesday, resignation and release.
"It is important to note and propogate that Lynn did go through
the corrrect channels for release: he contacted the vendor, the
vendor issued a fix. At this point, normally, public release
would be allowed and expected."
---
Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868
PGP Key: http://www.ibd.com/html/rbergerPublic.gpgkey
http://www.ibd.com
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/