Firm Allegedly Hiding Cisco Bugs By Kim Zetter Story location: http://www.wired.com/news/technology/0,1282,69762,00.html
02:00 AM Dec. 06, 2005 PT The computer security researcher who revealed a serious vulnerability in the operating system for Cisco Systems routers this year says he discovered 15 additional flaws in the software that have gone unreported until now, one of which is more serious than the bug he made public last summer. Mike Lynn, a former security researcher with Internet Security Systems, or ISS, said three of the flaws can give an attacker remote control of Cisco's routing and gateway hardware, essentially allowing an intruder to run malicious code on the hardware. The most serious of the three would affect nearly every configuration of a Cisco router, he said. "That's the one that really scares me," Lynn said, noting that the bug he revealed in July only affected routers configured in certain ways or with certain features. The new one, he said, "is in a piece of code that is so critical to the system that just about every configuration will have it. It's more part of the core code and less of a feature set," Lynn said. Like the earlier bug, the more serious of the new bugs is in Cisco's Internet Operating System, or IOS, said Lynn. Another dozen unpublished vulnerabilities can allow someone to conduct a denial-of-service attack against the router, crashing it over the internet, he said. Lynn, who now works for Cisco competitor Juniper Networks, told Wired News that ISS has known about additional flaws in the Cisco software for months but hasn't told Cisco about them. This is serious, Lynn said, because attackers may already be developing exploits for the vulnerabilities. Cisco's source code was reportedly stolen in 2004 and, while doing research on the IOS software, Lynn found information on a Chinese-language website that indicated to him that Chinese attackers were aware of the security flaws in IOS and could be exploiting them. ISS offers intrusion-detection products and security services to help businesses and the government protect their computer systems from attack. The company's X-Force research and development team, where Lynn worked, examines ways in which attackers can infiltrate a computer network and provides customers with information about the latest security threats. Lynn said he discussed the security vulnerabilities with his former bosses at ISS after the company asked him to reverse-engineer the Cisco operating system. Lynn said that details about the vulnerabilities were also in notes and documents that ISS lawyers seized from him in July after he presented information about the first Cisco flaw at the Black Hat security conference in Las Vegas. Although Lynn said Cisco and ISS initially approved his Black Hat presentation, the companies reversed their support hours before his talk, and sued him when he gave the presentation anyway. Many security professionals, including some who protect government and military networks, praised Lynn for disclosing the information. ISS accused Lynn of stealing trade secrets, but an FBI investigation ended with the government taking no action against the researcher. Mike Caudill, who manages Cisco's Product Security Incident Response Team, told Wired News that ISS has not told Cisco about any additional flaws that Lynn had found in Cisco's software. As head of the security team, Caudill would be the primary person with whom ISS would discuss vulnerabilities. Caudill wouldn't discuss the matter further but directed Wired News to Cisco spokesman John Noh. Noh was surprised by the news of the vulnerabilities and said his company encouraged security researchers to come to them with important information in a timely manner. "If there is legitimate information that will impact our customers, then we'd like to know about that. We'd want to be aware of anything that could impact our products and our customers," Noh said. But he also said that Cisco has a process for reporting vulnerabilities that involved working with its PSIRT team. "By working with us, it benefits everyone involved." Lynn said he sent an e-mail to Cisco's Mike Caudill last week but that he didn't go into detail about the vulnerabilities. He said it was important that ISS not sit on the information. A permanent injunction arising from Lynn's settlement of the lawsuit brought by ISS and Cisco now prevents Lynn from publicly discussing details about the original vulnerability or the new vulnerabilities other than to acknowledge their existence. "Essentially there are more bugs, and they've gagged me from telling anyone the details of what they are," Lynn said. Pete Allor, director of intelligence at ISS and a special assistant to the CEO, said he knows nothing about additional vulnerabilities in IOS and that there was no information in notes seized from Lynn discussing additional remote-control or denial-of-service flaws in Cisco's IOS. "Since I'm responsible for vulnerability disclosure, that would be something that would come to my attention, and I don't have anything that shows that we know anything about remote execution," Allor said. Allor added that ISS had theories in general about where it might investigate possible additional flaws in the Cisco system and other software, but he said many perceived flaws don't stand up under close examination. "It takes a substantive amount of research to prove that point unequivocally," Allor said. "(Until) there's no doubt in your mind that you can reproduce and show that to others, then it's nothing more than a theoretical thought." He added that once ISS determined that flaws existed, it would be the company's responsibility to work with the vendor to determine how to address the problem "so that no infrastructure network or customer would ever be at risk. It's not for the researcher to speculate and then publish speculation." Lynn disputed Allor's statements about what ISS knows about the flaws. He said he told the company's CTO as well as other members of the X-Force research team about the vulnerabilities he found. So plentiful were the bugs, he said, that it became a running joke at ISS each time he found another denial-of-service flaw. Additionally, Lynn gave ISS two notebooks filled with information about the flaws as well as pages of digital notes that he wrote while he reverse-engineered the software. "It's pretty meticulous. There's lots of notes because it's very complicated stuff," Lynn said. "I gave the most details for the ones that are the most critical -- those are all spelled out." With regard to Allor's statement suggesting that any flaws ISS found are theoretical, Lynn said, "We're not dealing with an iffy thing when I actually have the code that I'm disassembling." "At the very least," he said, "even if ISS only suspected there were flaws, you'd think they'd want to talk to Cisco about it even if they think maybe it's not true. If I'm totally wrong, great, but I have a pretty good track record on this, and you'd think they'd want to be talking to Cisco to be sure." Chris Wysopal, an independent security consultant who previously directed research and development for Atstake and Symantec, said it was a mystery why ISS would sit on such critical information. "There are no more critical vulnerabilities than the ones in routers and firewalls, since that's the fundamental basic infrastructure of the internet," said Wysopal. "A denial-of-service attack is enough (to make it critical). If you can just knock people off the net or keep the whole net down, that can be very valuable to people who want to wage some sort of cyberwar. "If I were a customer, I wouldn't be happy if the vendors I dealt with had information that could help me ... and they didn't (tell me)," Wysopal said. End of story You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.