& cplSiteName &

Cisco Faces Security Flap

Light Reading
News Analysis
Light Reading
7/28/2005

A security researcher has crossed by revealing, at a conference this week, the existence of a major IOS security hole.

Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas.

Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand.

While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco.

Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download.

But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers.

U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw.

According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying.

Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers."

Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco).

— Craig Matsumoto, Senior Editor, Light Reading

(3)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
got_light
got_light
12/5/2012 | 3:07:09 AM
re: Cisco Faces Security Flap
Cisco is on their way to become the Microsoft of the Networking industry. Wonder how cisco will ruin their image by issuing contradicting statements. Have to wait to wait and watch how they bully their way out of this mess.

Does this mean even Huawei has the same flaw?

Got Light ?
js2003
js2003
12/5/2012 | 3:07:03 AM
re: Cisco Faces Security Flap
They are good at hiding thing!!!!
That's CISCO!!!!!
andregca
andregca
12/5/2012 | 3:07:03 AM
re: Cisco Faces Security Flap
From what I've been reading all over the net, I think the point is that Cisco had hidden the real extent of previous vulnerabilities, covering a buffer overflow one, which could led to a Shell Code Execution exploit, as a DoS vulnerability.

Administrators can choose not to upgrade some routers vulnerable to DoS attacks, in certain perimeters of their networks, for some time. The urgency assumes other level when we talk about buffer overflows...

Cheers.
Featured Video
Upcoming Live Events
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events