Cisco Faces Security Flap

7/28/2005

A security researcher has crossed by revealing, at a conference this week, the existence of a major IOS security hole.

Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas.

Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand.

While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco.

Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download.

But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers.

U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw.

According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying.

Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers."

Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco).

— Craig Matsumoto, Senior Editor, Light Reading

Like what we have to say? Click here to sign up to our daily newsletter

(3) |

Comment |

Print |

RSS

Cisco Faces Security Flap News Analysis Light Reading 7/28/2005 Comment (3) Tweet A security researcher has crossed by revealing, at a conference this week, the existence of a major IOS security hole. Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas. Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand. While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco. Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download. But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers. U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw. According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying. Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers." Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco). — Craig Matsumoto, Senior Editor, Light Reading Like what we have to say? Click here to sign up to our daily newsletter (3) \| Comment \| Print \| RSS Related Stories Comments Newest First \| Oldest First \| Threaded View ADD A COMMENT [close this box] got_light 12/5/2012 \| 3:07:09 AM re: Cisco Faces Security Flap Cisco is on their way to become the Microsoft of the Networking industry. Wonder how cisco will ruin their image by issuing contradicting statements. Have to wait to wait and watch how they bully their way out of this mess. Does this mean even Huawei has the same flaw? Got Light ? Reply \| Post Message \| Messages List \| Start a Board js2003 12/5/2012 \| 3:07:03 AM re: Cisco Faces Security Flap They are good at hiding thing!!!! That's CISCO!!!!! Reply \| Post Message \| Messages List \| Start a Board andregca 12/5/2012 \| 3:07:03 AM re: Cisco Faces Security Flap From what I've been reading all over the net, I think the point is that Cisco had hidden the real extent of previous vulnerabilities, covering a buffer overflow one, which could led to a Shell Code Execution exploit, as a DoS vulnerability. Administrators can choose not to upgrade some routers vulnerable to DoS attacks, in certain perimeters of their networks, for some time. The urgency assumes other level when we talk about buffer overflows... Cheers. Reply \| Post Message \| Messages List \| Start a Board		Educational Resources sponsor supplied content Cybersecurity: Priorities & Proposals for Small ISPs Arbor & Cisco: Stopping DDoS Attacks Threat-Centric Security Solutions for Service Providers Cisco ASR 9000 vDDoS Protection Solution Cisco ASR 9000 Integrated DDoS Mitigation with Arbor Networks Peakflow TMS Cisco ASR 9000 vDDoS Protection Solution Frost & Sullivan: The Expanding Role of Service Providers in DDoS Mitigation Cisco ASR 9000 vDDoS Protection Solution Overview Educational Resources Archive Featured Video Upcoming Live Events Cable Next Gen-Technologies & Strategies March 16-18, 2020, Embassy Suites, Denver, Colorado Big 5G Event May 18-20, 2020, Irving Convention Center, Dallas, TX All Upcoming Live Events Upcoming Webinars December 17, 2019 Network Slicing & the New Business Model in the 5G Era December 17, 2019 IoT Evolution in a 5G World: Architectures & Security Strategies December 18, 2019 Huawei’s View: State-of-the-Art in 5G RAN Equipment January 16, 2020 SCTE.ISBE Live Learning Webinar: Future-Proofing with Fiber January 23, 2020 The Edge Gets Real: Data Center Automation for Telco and Cloud Service Providers February 20, 2020 SCTE.ISBE Live Learning Webinar: Making Way for DAA March 19, 2020 SCTE.ISBE Live Learning Webinar: Extending the Spectrum April 16, 2020 SCTE.ISBE Live Learning Webinar Series: Playing with PON May 21, 2020 SCTE.ISBE Live Learning Webinar Series: Smart Pipes, Smarter Cities June 18, 2020 SCTE.ISBE Live Learning Webinar Series: Tapping Into the Cloud July 16, 2020 SCTE.ISBE Live Learning Webinar Series: 10G vs. 5G August 20, 2020 SCTE.ISBE Live Learning Webinar Series: Closing the GAP on GAP September 17, 2020 SCTE.ISBE Live Learning Webinar Series: Getting Ready for DOCSIS 4.0 October 22, 2020 SCTE.ISBE Live Learning Webinar Series: Virtualizing the Cable Access Network November 19, 2020 SCTE.ISBE Live Learning Webinar Series: Testing the Next-Gen Cable Network December 10, 2020 SCTE.ISBE Live Learning Webinar Series: Dreaming of Streaming Video Webinar Archive Partner Perspectives - content from our sponsors Experience Is Vital for SDH Migration By Deng Qiang, Senior Product Manager, Huawei Reimagine the Mobile Network By Cisco 5G Brings Smart Stadium Live Broadcasting to Life By Lu Wei, ZTE With Over 100M Users, 4G/5G FWA Offers a New Direction for Mobile Operators By Huawei The 6GHz Opportunity: WRC-19 Agreed to Study the Frequency Band of 6425-7125 MHz for IMT By Lu Yi, Senior editor, C114 All Partner Perspectives Slideshows Vienna Views: Pics From the 2020 Vision Executive Summit Post a Comment \| Read (0) France's Bike Fest Demands Tour de Force From Orange (16) Scenes From Sprint's Big 5G Launch (4) More Slideshows