Cisco Faces Security Flap

7/28/2005

A security researcher has crossed by revealing, at a conference this week, the existence of a major IOS security hole.

Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas.

Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand.

While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco.

Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download.

But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers.

U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw.

According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying.

Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers."

Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco).

— Craig Matsumoto, Senior Editor, Light Reading

Like what we have to say? Click here to sign up to our daily newsletter

(3) |

Comment |

Print |

RSS

Cisco Faces Security Flap News Analysis Light Reading 7/28/2005 Comment (3) Tweet A security researcher has crossed by revealing, at a conference this week, the existence of a major IOS security hole. Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas. Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand. While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco. Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download. But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers. U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw. According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying. Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers." Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco). — Craig Matsumoto, Senior Editor, Light Reading Like what we have to say? Click here to sign up to our daily newsletter (3) \| Comment \| Print \| RSS Comments Newest First \| Oldest First \| Threaded View ADD A COMMENT [close this box] got_light 12/5/2012 \| 3:07:09 AM re: Cisco Faces Security Flap Cisco is on their way to become the Microsoft of the Networking industry. Wonder how cisco will ruin their image by issuing contradicting statements. Have to wait to wait and watch how they bully their way out of this mess. Does this mean even Huawei has the same flaw? Got Light ? Reply \| Post Message \| Messages List \| Start a Board js2003 12/5/2012 \| 3:07:03 AM re: Cisco Faces Security Flap They are good at hiding thing!!!! That's CISCO!!!!! Reply \| Post Message \| Messages List \| Start a Board andregca 12/5/2012 \| 3:07:03 AM re: Cisco Faces Security Flap From what I've been reading all over the net, I think the point is that Cisco had hidden the real extent of previous vulnerabilities, covering a buffer overflow one, which could led to a Shell Code Execution exploit, as a DoS vulnerability. Administrators can choose not to upgrade some routers vulnerable to DoS attacks, in certain perimeters of their networks, for some time. The urgency assumes other level when we talk about buffer overflows... Cheers. Reply \| Post Message \| Messages List \| Start a Board		Educational Resources sponsor supplied content Cybersecurity: Priorities & Proposals for Small ISPs Arbor & Cisco: Stopping DDoS Attacks Threat-Centric Security Solutions for Service Providers Cisco ASR 9000 vDDoS Protection Solution Cisco ASR 9000 Integrated DDoS Mitigation with Arbor Networks Peakflow TMS Cisco ASR 9000 vDDoS Protection Solution Frost & Sullivan: The Expanding Role of Service Providers in DDoS Mitigation Cisco ASR 9000 vDDoS Protection Solution Overview Educational Resources Archive Featured Video Upcoming Live Events 5G Network & Service Strategies @ MWC19 Los Angeles October 22, 2019, Los Angeles, CA Software-Driven Operations November 5, 2019, London, England Global Telecoms Awards November 7, 2019, London, UK Cable Next-Gen Europe November 14, 2019, Maritim Hotel, Berlin 2020 Vision Executive Summit December 3-5, 2019, Vienna, Austria Cable Next-Gen Business Strategies December 3, 2019, New York, New York Cable Next Gen-Technologies & Strategies March 16-18, 2020, Embassy Suites, Denver, Colorado Big 5G Event May 18-20, 2020, Irving Convention Center, Dallas, TX All Upcoming Live Events Upcoming Webinars October 16, 2019 Break open the treasure chest with Network Design in 5G era October 16, 2019 How Next-Gen Telco Impacts Edge Data Center Architecture October 17, 2019 Automating the Cable Network October 22, 2019 How to Cut Your BSS Costs by up to 80% With Public Cloud October 22, 2019 Programmable FTTx: Readiness for a Virtualized Access Network October 23, 2019 Microsoft Azure ONAP-based NFV and SD-WAN solution October 23, 2019 What’s happening at the Edge October 29, 2019 IoT, 5G, Security, and RoI October 30, 2019 The Road to a Secure 5G: How Secure Are We Today? October 31, 2019 FTTx Mantra – Building Next-Generation Scalable Access Networks November 5, 2019 Be 5G Ready With Next-Gen Programmable Radio November 14, 2019 Securing the Cable Network December 12, 2019 Virtualizing the Cable Architecture Webinar Archive Partner Perspectives - content from our sponsors Why Fixed Broadband Is More Important Than Ever By Fang Hui, ZTE Huawei Empowers 5G Carriers By Huawei Which Fortune 500 HQ Will Be First to Utilize 5G? By Peter Linder Multiband Microwave Provides High Capacity & High Reliability for 5G Transport By Don Frey, Principal Analyst, Transport & Routing, Ovum 5G Transforms Vertical Industries By Huawei All Partner Perspectives Slideshows France's Bike Fest Demands Tour de Force From Orange Post a Comment \| Read (7 comments) Scenes From Sprint's Big 5G Launch (3) The Big 5G Event: Photos (0) More Slideshows