Cisco Faces Security Flap

A security researcher has crossed by revealing, at a conference this week, the existence of a major IOS security hole.

Wired News reported yesterday that existance of the flaw was disclosed yesterday by former researcher Michael Lynn at the Black Hat Briefings conference in Las Vegas.

Cisco and ISS originally had approved Lynn's talk, but Cisco reportedly made an about-face earlier this week, insisting the talk be delayed. Lynn claimed ISS and Cisco had threatened him with a lawsuit if he didn't cancel the talk. He gave the talk anyway, quitting his job beforehand.

While he didn't disclose how to exploit the flaw, Lynn reportedly demonstrated that it could be used to gain unauthorized control over a router. ISS had discovered the flaw in its work with Cisco.

Cisco officials say the bug has been patched, and the buggy version of IOS is no longer available for download.

But Lynn's actions raise the debate over how such security problems should be handled. Many security experts believe that full disclosure is the best policy, because it keeps users aware of security dangers.

U.K. news sources are reporting this morning that Cisco and ISS have filed a restraining order against Lynn and the Black Hat conference organizers to prevent further discussion of the security flaw.

According to Wired News, Lynn chose to act because of recent thefts of Cisco IOS code, which he takes as a clear sign that hackers intend to attack IOS, much as they target Microsoft Corp.'s (Nasdaq: MSFT) Windows operating system for its ubiquity (see Cisco's IOS Code 'Compromised'). "I'm probably about to be sued to oblivion. [But] the worst thing is to keep this stuff secret," Lynn was quoted as saying.

Cisco officials couldn't be reached for comment late Wednesday, but Cisco did post a response to Lynn's talk on its Website, which reads in part: "It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers."

Generally, Cisco is open about reporting IOS flaws as they are discovered. Juniper Networks Inc. (Nasdaq: JNPR) takes an opposite tack, preferring not to disclose security bugs found in its JunOS operating system. The result is that Cisco has a lot more bugs being discussed. But Juniper has had its share of trouble, too, such as a January incident where customers reportedly underwent emergency upgrades to cover up a security flaw (see Security Bugs Bite Juniper, Cisco).

— Craig Matsumoto, Senior Editor, Light Reading