Firm Allegedly Hiding Cisco Bugs
By Kim Zetter

Story location:,1282,69762,00.html

02:00 AM Dec. 06, 2005 PT

The computer security researcher who revealed a serious vulnerability in the
operating system for Cisco Systems routers this year says he discovered 15
additional flaws in the software that have gone unreported until now, one of
which is more serious than the bug he made public last summer.

Mike Lynn, a former security researcher with Internet Security Systems, or
ISS, said three of the flaws can give an attacker remote control of Cisco's
routing and gateway hardware, essentially allowing an intruder to run
malicious code on the hardware. The most serious of the three would affect
nearly every configuration of a Cisco router, he said.

"That's the one that really scares me," Lynn said, noting that the bug he
revealed in July only affected routers configured in certain ways or with
certain features. The new one, he said, "is in a piece of code that is so
critical to the system that just about every configuration will have it.
It's more part of the core code and less of a feature set," Lynn said.

Like the earlier bug, the more serious of the new bugs is in Cisco's
Internet Operating System, or IOS, said Lynn. Another dozen unpublished
vulnerabilities can allow someone to conduct a denial-of-service attack
against the router, crashing it over the internet, he said.

Lynn, who now works for Cisco competitor Juniper Networks, told Wired News
that ISS has known about additional flaws in the Cisco software for months
but hasn't told Cisco about them. This is serious, Lynn said, because
attackers may already be developing exploits for the vulnerabilities.
Cisco's source code was reportedly stolen in 2004 and, while doing research
on the IOS software, Lynn found information on a Chinese-language website
that indicated to him that Chinese attackers were aware of the security
flaws in IOS and could be exploiting them.

ISS offers intrusion-detection products and security services to help
businesses and the government protect their computer systems from attack.
The company's X-Force research and development team, where Lynn worked,
examines ways in which attackers can infiltrate a computer network and
provides customers with information about the latest security threats.

Lynn said he discussed the security vulnerabilities with his former bosses
at ISS after the company asked him to reverse-engineer the Cisco operating

Lynn said that details about the vulnerabilities were also in notes and
documents that ISS lawyers seized from him in July after he presented
information about the first Cisco flaw at the Black Hat security conference
in Las Vegas. Although Lynn said Cisco and ISS initially approved his Black
Hat presentation, the companies reversed their support hours before his
talk, and sued him when he gave the presentation anyway. Many security
professionals, including some who protect government and military networks,
praised Lynn for disclosing the information. ISS accused Lynn of stealing
trade secrets, but an FBI investigation ended with the government taking no
action against the researcher.

Mike Caudill, who manages Cisco's Product Security Incident Response Team,
told Wired News that ISS has not told Cisco about any additional flaws that
Lynn had found in Cisco's software. As head of the security team, Caudill
would be the primary person with whom ISS would discuss vulnerabilities.
Caudill wouldn't discuss the matter further but directed Wired News to Cisco
spokesman John Noh. Noh was surprised by the news of the vulnerabilities and
said his company encouraged security researchers to come to them with
important information in a timely manner.

"If there is legitimate information that will impact our customers, then
we'd like to know about that. We'd want to be aware of anything that could
impact our products and our customers," Noh said. But he also said that
Cisco has a process for reporting vulnerabilities that involved working with
its PSIRT team. "By working with us, it benefits everyone involved."

Lynn said he sent an e-mail to Cisco's Mike Caudill last week but that he
didn't go into detail about the vulnerabilities. He said it was important
that ISS not sit on the information.

A permanent injunction arising from Lynn's settlement of the lawsuit brought
by ISS and Cisco now prevents Lynn from publicly discussing details about
the original vulnerability or the new vulnerabilities other than to
acknowledge their existence.

"Essentially there are more bugs, and they've gagged me from telling anyone
the details of what they are," Lynn said.

Pete Allor, director of intelligence at ISS and a special assistant to the
CEO, said he knows nothing about additional vulnerabilities in IOS and that
there was no information in notes seized from Lynn discussing additional
remote-control or denial-of-service flaws in Cisco's IOS.

"Since I'm responsible for vulnerability disclosure, that would be something
that would come to my attention, and I don't have anything that shows that
we know anything about remote execution," Allor said.

Allor added that ISS had theories in general about where it might
investigate possible additional flaws in the Cisco system and other
software, but he said many perceived flaws don't stand up under close
examination. "It takes a substantive amount of research to prove that point
unequivocally," Allor said. "(Until) there's no doubt in your mind that you
can reproduce and show that to others, then it's nothing more than a
theoretical thought."

He added that once ISS determined that flaws existed, it would be the
company's responsibility to work with the vendor to determine how to address
the problem "so that no infrastructure network or customer would ever be at
risk. It's not for the researcher to speculate and then publish

Lynn disputed Allor's statements about what ISS knows about the flaws. He
said he told the company's CTO as well as other members of the X-Force
research team about the vulnerabilities he found. So plentiful were the
bugs, he said, that it became a running joke at ISS each time he found
another denial-of-service flaw.

Additionally, Lynn gave ISS two notebooks filled with information about the
flaws as well as pages of digital notes that he wrote while he
reverse-engineered the software.

"It's pretty meticulous. There's lots of notes because it's very complicated
stuff," Lynn said. "I gave the most details for the ones that are the most
critical -- those are all spelled out."

With regard to Allor's statement suggesting that any flaws ISS found are
theoretical, Lynn said, "We're not dealing with an iffy thing when I
actually have the code that I'm disassembling."

"At the very least," he said, "even if ISS only suspected there were flaws,
you'd think they'd want to talk to Cisco about it even if they think maybe
it's not true. If I'm totally wrong, great, but I have a pretty good track
record on this, and you'd think they'd want to be talking to Cisco to be

Chris Wysopal, an independent security consultant who previously directed
research and development for Atstake and Symantec, said it was a mystery why
ISS would sit on such critical information.

"There are no more critical vulnerabilities than the ones in routers and
firewalls, since that's the fundamental basic infrastructure of the
internet," said Wysopal. "A denial-of-service attack is enough (to make it
critical). If you can just knock people off the net or keep the whole net
down, that can be very valuable to people who want to wage some sort of

"If I were a customer, I wouldn't be happy if the vendors I dealt with had
information that could help me ... and they didn't (tell me)," Wysopal said.

End of story

You are a subscribed member of the infowarrior list. Visit for list information or to unsubscribe. This message 
may be redistributed freely in its entirety. Any and all copyrights 
appearing in list messages are maintained by their respective owners.

Reply via email to