Re: Cisco IOS Exploit Cover Up
On 30/07/05, Janet Sullivan [EMAIL PROTECTED] wrote: If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. That's like saying nobody will write windows trojans to infect tiny PCs, they'll go after big fat *nix servers with rootkits Something as simple as a default enable password :) I wonder how many routers out there have open telnet access and enable set to cisco or password123 :) -- Suresh Ramasubramanian ([EMAIL PROTECTED])
Re: Cisco IOS Exploit Cover Up
On Fri, 29 Jul 2005, Stephen Fulton wrote: Petri Helenius wrote: Fortunately destructive worms don't usually get too wide distribution because they don't survive long. That assumes that the worm must discover exploitable hosts. What if those hosts have already been identified through other means previously? A nation, terrorist or criminal with the means could very well compile a relatively accurate database and use such a worm to attack specific targets, and those attacks need not be destructive/disruptive. and why pray-tell would they bother with any of this complex 'remote exploit' crap when they can send a stream of 3mbps at any cisco and crunch it? as someone said before, the 'big deal' in the talk was: Hey, IOS is just like everyother OS, it has heap/stack overflows that you can smash and get arbitrary code to run on.
Re: Cisco IOS Exploit Cover Up
Stephen Fulton wrote: That assumes that the worm must discover exploitable hosts. What if those hosts have already been identified through other means previously?A nation, terrorist or criminal with the means could very well compile a relatively accurate database and use such a worm to attack specific targets, and those attacks need not be destructive/disruptive. Sure, most of the people on this list would make very smart and skilled criminals if they would choose to pursue that path. Pete
Re: Cisco IOS Exploit Cover Up
On Fri, Jul 29, 2005 at 01:01:42AM +, Christopher L. Morrow wrote: could they be unpatched because no one has sent out a notice saying versions before X have known vulnerabilities. upgrade now to one of the following: ...? or... cause new IOS won't run on them. Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured installed in 1996 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image. -John
Re: Cisco IOS Exploit Cover Up
--- John Forrister [EMAIL PROTECTED] wrote: Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured installed in 1996 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image. As a definite example, A client of mine has a 1601 sitting on the end of a T1 running 11.3... They're not interested in spending any money on an upgrade, as the box is doing exactly what they want: running RIP internally, and taking Ethernet-in and Serial-out. -David __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Cisco IOS Exploit Cover Up
On 7/29/05, David Barak [EMAIL PROTECTED] wrote: --- John Forrister [EMAIL PROTECTED] wrote: Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured installed in 1996 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image. As a definite example, A client of mine has a 1601 sitting on the end of a T1 running 11.3... They're not interested in spending any money on an upgrade, as the box is doing exactly what they want: running RIP internally, and taking Ethernet-in and Serial-out. As a counter-point, many thousands of routers were needlessly upgraded because of Y2K, edge to core. Its not about reality, its about perception. -Scott -David __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: Cisco IOS Exploit Cover Up
And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) But, in the advisory that Cisco put out, it did mention free software upgrades were available even to non-contract customers. They simply had to originate from a call to TAC about it. Doesn't seem too bad. Not everyone has to worry about these things. Place and time. Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barak Sent: Friday, July 29, 2005 2:52 PM To: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up --- John Forrister [EMAIL PROTECTED] wrote: Indeed - Cisco's hardware, especially the older, smaller boxes, tended to be really solid once you got them running. I was just pondering a few minutes ago on how many 2500's I configured installed in 1996 1997 are still running today, on code that's no longer supported by Cisco, and which are incapable of taking enough flash to load a newer image. As a definite example, A client of mine has a 1601 sitting on the end of a T1 running 11.3... They're not interested in spending any money on an upgrade, as the box is doing exactly what they want: running RIP internally, and taking Ethernet-in and Serial-out. -David __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: Cisco IOS Exploit Cover Up
--- Scott Morris [EMAIL PROTECTED] wrote: And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) Let's see - RIP, Telnet, and SNMP are the only services listening on the box, and those are ACLed off at the serial interface. I'd LOVE to run SSH, but my image is not kind, nor is the size of the flash... Not everyone has to worry about these things. Place and time. Agreed - I just wanted to give a concrete example of this stuff in the wild. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
Re: Cisco IOS Exploit Cover Up
Scott Morris wrote: And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. The way I see it, all that's needed is two major exploits, one known by Cisco, one not. Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade. The upgraded code version will be the one targeted by the second, unknown, exploit. A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will. As for what the worm could do - well, it could report home to the worm creators that Hey, you 0wn X number of routers, or it could do something fun like erasing configs and locking out console ports. ;-) Honestly, I've been expecting something like that to happen for years now. shrug
RE: Cisco IOS Exploit Cover Up
The *best* exploit is the one alluded to in the presentation. Overwrite the nvram/firmware to prevent booting (or, perhaps, adjust the voltages to damaging levels and do a smoke test). If you could do it to all GSR linecards, think of the RMA costs to Cisco (not to mention the fact that Cisco could not possible replace all the cards in all the GSRs across the internet in an anywhere reasonable timeframe). *THAT* is what I suspect worries Cisco. But of course I am just conjecturing... Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janet Sullivan Sent: Friday, July 29, 2005 12:44 PM To: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up Scott Morris wrote: And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. The way I see it, all that's needed is two major exploits, one known by Cisco, one not. Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade. The upgraded code version will be the one targeted by the second, unknown, exploit. A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will. As for what the worm could do - well, it could report home to the worm creators that Hey, you 0wn X number of routers, or it could do something fun like erasing configs and locking out console ports. ;-) Honestly, I've been expecting something like that to happen for years now. shrug
Re: Cisco IOS Exploit Cover Up
Buhrmaster, Gary wrote: The *best* exploit is the one alluded to in the presentation. Overwrite the nvram/firmware to prevent booting (or, perhaps, adjust the voltages to damaging levels and do a smoke test). If you could do it to all GSR linecards, think of the RMA costs to Cisco (not to mention the fact that Cisco could not possible replace all the cards in all the GSRs across the internet in an anywhere reasonable timeframe). *THAT* is what I suspect worries Cisco. But of course I am just conjecturing... One of the more effective (software) ways is to mess up the cookies on the cards which tell IOS what kinds of cards they are and then reload the box. Fortunately destructive worms don't usually get too wide distribution because they don't survive long. Pete Gary -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janet Sullivan Sent: Friday, July 29, 2005 12:44 PM To: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up Scott Morris wrote: And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. The way I see it, all that's needed is two major exploits, one known by Cisco, one not. Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade. The upgraded code version will be the one targeted by the second, unknown, exploit. A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will. As for what the worm could do - well, it could report home to the worm creators that Hey, you 0wn X number of routers, or it could do something fun like erasing configs and locking out console ports. ;-) Honestly, I've been expecting something like that to happen for years now. shrug
RE: Cisco IOS Exploit Cover Up
I just happened to see this : Last month, a company called Internet Security Systems (ISS) issued an alert to warn users that Cisco's VoIP offering had a security flaw that would allow just that. According to the company, this implementation flaw in Cisco's Call Manager, which handles call signaling and routing, could allow a buffer overflow that would grant an intruder access to the system to listen in on all calls routed through it. This is one scenario described by ISS and other vendors focused on selling technology to plug the security holes in VoIP, a method for sending voice traffic over IP that many say was not designed with security in mind. ISS and its competitors, which come to this new field largely from the VoIP management and IP security markets, forecast big risks for companies that don't take VoIP security seriously, and undoubtedly look forward to formidable revenue streams generated by those that do. Guru -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janet Sullivan Sent: Friday, July 29, 2005 12:44 PM To: [EMAIL PROTECTED]; nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up Scott Morris wrote: And quite honestly, we can probably be pretty safe in assuming they will not be running IPv6 (current exploit) or SNMP (older exploits) or BGP (other exploits) or SSH (even other exploits) on that box. :) (the 1601 or the 2500's) If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. The way I see it, all that's needed is two major exploits, one known by Cisco, one not. Exploit #1 will be made public. Cisco will released fixed code. Good service providers will upgrade. The upgraded code version will be the one targeted by the second, unknown, exploit. A two-part worm can infect Windows boxen via any common method, and then use them to try the exploit against routers. A windows box can find routers to attack easily enough by doing traceroutes to various sites. Then, the windows boxen can try a limited set of exploit variants on each router. Not all routers will be affected, but some will. As for what the worm could do - well, it could report home to the worm creators that Hey, you 0wn X number of routers, or it could do something fun like erasing configs and locking out console ports. ;-) Honestly, I've been expecting something like that to happen for years now. shrug
Re: Cisco IOS Exploit Cover Up
Once upon a time, Janet Sullivan [EMAIL PROTECTED] said: If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. Right. And if they wanted to cause chaos on computers, they'd ignore business desktops and home computers and target large server farms. -- Chris Adams [EMAIL PROTECTED] Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Cisco IOS Exploit Cover Up
On Fri, 29 Jul 2005 17:26:45 CDT, Chris Adams said: Once upon a time, Janet Sullivan [EMAIL PROTECTED] said: If a worm writer wanted to cause chaos, they wouldn't target 2500s, but 7200s, 7600s, GSRs, etc. Right. And if they wanted to cause chaos on computers, they'd ignore business desktops and home computers and target large server farms. How many home computers did Mafiaboy DDoS? pgp9z5eTclgLK.pgp Description: PGP signature
Re: Cisco IOS Exploit Cover Up
Petri Helenius wrote: Fortunately destructive worms don't usually get too wide distribution because they don't survive long. That assumes that the worm must discover exploitable hosts. What if those hosts have already been identified through other means previously? A nation, terrorist or criminal with the means could very well compile a relatively accurate database and use such a worm to attack specific targets, and those attacks need not be destructive/disruptive. -- Stephen.
RE: Cisco IOS Exploit Cover Up
At 12:22 AM 28-07-05 -0400, Hannigan, Martin wrote: ..and of course: Cisco Denies Router Vulnerability Claims [snip] Of course. That's how a broken vuln system works. :-) The major flaw is that the vendor decides who gets to know about a vulnerability. Or 3com: http://www.networkworld.com/news/2005/072505-3com.html -Hank
RE: Cisco IOS Exploit Cover Up
This is looking like a complete PR disaster for cisco. They would have been better off allowing the talk to take place, and actually fixing the holes rather than wasting money on a small army of razorblade-equipped censors. I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude. Regards. Neil.
Re: Cisco IOS Exploit Cover Up
* Neil J. McRae: I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude. Cisco is different in at least one regard: they only list confirmed impact, not potential impact. Thus many bugs get labeled as DoS issues, which other vendors would have described as a vulnerability which potentially enables remote code injection exploits.
Re: Cisco IOS Exploit Cover Up
In a message written on Thu, Jul 28, 2005 at 08:29:22AM +0100, Neil J. McRae wrote: I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude. This is not a Cisco specific comment, but it is a network operator comment. You change your mind when you get hit by a network wide bug taking out all your customers, and then spend six months beating up the gear in your own lab to reproduce the problem, and when you do the vendor finally admits well, we've known about the bug for 4 years, but we were pretty sure it couldn't happen in your network so we didn't tell you. I'm sure the vendors find bugs, quietly fix them, the code is naturally upgraded and nothing ever happens. Which is a good thing. The problem is, most of the major operators have been hit by a bug where the vendor knew, did nothing, or at least not enough, the operator was hit and then the vendor continued to not want to admit the problem because of course now they look even worse for sitting on it. For better or for worse, right now the only check and balance to the vendors is conferences like the Black Hat forum. For Cisco to send an army of razor blade toting employees to such a conference is chilling. I can see them working with the parties before hand, but to make that kind of show in public? What is the motovation? If this bug is, as Cisco puts it, not serious then they just spent a lot of money on people to go do all of that for nothing. Doesn't seem likely. So what everyone's spidy sense is now telling them is Cisco wouldn't spend thousands of dollars on legal injunctions and armys of razor blade toters for nothing, so there must be something to this paper. Which makes their denial all the more hollow. This isn't an endorsement of the pro-disclosure crowd. Telling these things to the world at large in a forum like this gives the script kiddies a leg up, as they are almost always faster than the vendors. These things should happen at a more measured pace, inside normal support channels. That said, no one likes a coverup. Once it's public in any form, don't try to sweep it under the rug. Doesn't work in politics, doesn't work for vendors. Sometimes you can get away with it once or twice, but in the end it costs credibility, which is something that is extremely hard and costly to earn back. If Cisco wanted to make me feel better right now they could contact my company via normal support channels and have a frank and open discussion about what this paper/presentation means, and what action if any they are taking as a result. Somehow for what the boxes and support costs that doesn't seem like too much to ask. The presentation is out there, we will get it and read it, don't pretend like we won't. -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgpAjo1MvyWoE.pgp Description: PGP signature
Re: Cisco IOS Exploit Cover Up
On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote: I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude. That's part of the issue: this wasn't an exploit in the sense of something a $scriptkiddie could exploit. The sheer technical requirements of the exploit itself ensure that it will only be reproduced by a small number of people across the globe. There was no source or proof of concept code released and duplicating the information would only provide you a method to increase the severity of other potential exploits. It does not create any new exploits. Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it. How many network engineers knew there was a potential problem of this magnitude at the beginning of May? If, knock on wood, someone had released this code into the wild then how many networks who have been vulnerable despite the availability of a fix? Considering that Mr. Lynn's presentation was flawless, it is interesting to note that Cisco and ISS considered the information to be not quite complete. This is especially interesting since the research was done weeks ago according the researcher. Its surprising that such a decision as to the incompleteness of the presentation and the retraction of Cisco's support for the presentation were withdrawn only several days before the talk. It would lead me to believe that both companies had less interest in a process of disclosure and communication and more with burying this information for a year or more. I agree with everyone that making attack tools and exploit information available to the public prior to a fix being generated with the vendor is a poor method of encouraging good security, however that is far from the case in this matter. A fix had been generated with the vendor and it was time that the information to become public so network operators understood that the remote execution empty world we had lived in until now was over. More links: http://www.wired.com/news/privacy/0,1848,68328,00.html? tw=wn_story_page_prev2 http://securityfocus.com/news/11259
Re: Cisco IOS Exploit Cover Up
On 7/27/05, Jeff Kell [EMAIL PROTECTED] wrote: Cisco's response thus far: http://www.cisco.com/en/US/about/security/intelligence/MySDN_CiscoIOS.html Jeff More fuel on the fire... Cisco and ISS are suing Lynn now... http://news.zdnet.co.uk/internet/security/0,39020375,39211011,00.htm -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Cisco IOS Exploit Cover Up
James Baldwin [EMAIL PROTECTED] writes: On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote: I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude. That's part of the issue: this wasn't an exploit in the sense of something a $scriptkiddie could exploit. The sheer technical requirements of the exploit itself ensure that it will only be reproduced by a small number of people across the globe. There was no source or proof of concept code released and duplicating the information would only provide you a method to increase the severity of other potential exploits. It does not create any new exploits. Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it. Can you or someone else who was there or has some details describe what the actual result is and what the fix was? Based on what I've been reading, it sounds like Lynn's result was a method for exploiting arbitrary new vulnerabilities. Are you saying that this method can't be used in future IOS revs? Thanks, -Ekr [Eric Rescorla RTFM, Inc.]
RE: Cisco IOS Exploit Cover Up
Bear in mind though that when the M$ SQL Slammer worm hit everyone, the same attitude existed. The patch had been available for months. People knew about the vulnerability and it wasn't anything new. And yet, look how much havoc was created there. It's always the potential stuff that scares people more. While I do think it's obnoxious to try to censor someone, on the other hand if they have proprietary internal information somehow that they aren't supposed to have to begin with, I don't think it is in security's best interested to commit a crime in order to get tighter security. Is this the technical version of civil disobedience? Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Baldwin Sent: Thursday, July 28, 2005 9:24 AM To: Neil J.McRae Cc: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote: I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude. That's part of the issue: this wasn't an exploit in the sense of something a $scriptkiddie could exploit. The sheer technical requirements of the exploit itself ensure that it will only be reproduced by a small number of people across the globe. There was no source or proof of concept code released and duplicating the information would only provide you a method to increase the severity of other potential exploits. It does not create any new exploits. Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it. How many network engineers knew there was a potential problem of this magnitude at the beginning of May? If, knock on wood, someone had released this code into the wild then how many networks who have been vulnerable despite the availability of a fix? Considering that Mr. Lynn's presentation was flawless, it is interesting to note that Cisco and ISS considered the information to be not quite complete. This is especially interesting since the research was done weeks ago according the researcher. Its surprising that such a decision as to the incompleteness of the presentation and the retraction of Cisco's support for the presentation were withdrawn only several days before the talk. It would lead me to believe that both companies had less interest in a process of disclosure and communication and more with burying this information for a year or more. I agree with everyone that making attack tools and exploit information available to the public prior to a fix being generated with the vendor is a poor method of encouraging good security, however that is far from the case in this matter. A fix had been generated with the vendor and it was time that the information to become public so network operators understood that the remote execution empty world we had lived in until now was over. More links: http://www.wired.com/news/privacy/0,1848,68328,00.html? tw=wn_story_page_prev2 http://securityfocus.com/news/11259
Re: Cisco IOS Exploit Cover Up
On Thu, Jul 28, 2005 at 07:03:31AM -0700, Eric Rescorla wrote: Can you or someone else who was there or has some details describe what the actual result is and what the fix was? Based on what I've been reading, it sounds like Lynn's result was a method for exploiting arbitrary new vulnerabilities. Are you saying that this method can't be used in future IOS revs? As nearly as I can tell from reports (I wasn't there), he (1) talked about a general way to exploit a buffer overflow to cause arbitrary code execution (this would apply to buffer overflows generally, but would be completely useless if you didn't know of a buffer overflow to exploit), and (2) demonstrated his technique using a previosuly known buffer overflow vulnerability which Cisco has already patched. So Cisco is correct in saying that he didn't identifiy any new vulnerabilities, and Cisco is also correct in saying that the vulnerability he used in his presentation to demonstrate his technique has been patched. However, the same technique will be useful on the next buffer overflow vulnerability to be discovered. -- Brett
Re: Cisco IOS Exploit Cover Up
In a message written on Thu, Jul 28, 2005 at 10:14:42AM -0400, Scott Morris wrote: And yet, look how much havoc was created there. It's always the potential stuff that scares people more. While I do think it's obnoxious to try to censor someone, on the other hand if they have proprietary internal information somehow that they aren't supposed to have to begin with, I don't think it is in security's best interested to commit a crime in order to get tighter security. We don't have all the details, so I don't know what he's accused of doing which is illegal, however, from http://news.zdnet.co.uk/internet/security/0,39020375,39211011,00.htm I quote: ] The filing in US District Court for the Northern District of California ] asks the court to prevent Lynn and Black Hat from further disclosing ] proprietary information belonging to Cisco and ISS, said John Noh, a ] Cisco spokesman. ] ] It is our belief that the information that Lynn presented at Black Hat ] this morning is information that was illegally obtained and violated our ] intellectual-property rights, Noh added. ] ] Lynn decompiled Cisco's software for his research and by doing so ] violated the company's rights, Noh said. I am not a lawyer, and so under the current DMCA and other laws it may well be illegal to decompile code. That said, it sounds rather like the technical equivilant to Ralph Nader disassembling the Corvair to prove the suspension design was flawed. GM sure didn't like that any more than Cisco likes this incident. I don't know when we decided a program should be a black box welded shut kept from all prying eyes, and that anyone who could run a decompiler was instantly a crimimal. It probably all came about from the crazy decision that software should be licensed, not sold. We'd be in a world of hurt if anyone who figured out how to put a lift kit on his pickup was sued by ford for disassembling the truck and figuring out their propretary internal designs. Why is software special? -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org pgppARrugzTIA.pgp Description: PGP signature
Re: Cisco IOS Exploit Cover Up
If I were to venture a guess (and it would be just that, a guess), I'd say that you're probably spot on. I wonder who's having more fun this week? The folks at Black Hat, or the folks in The Netherlands at the Politics of Psychedelic Research or perhaps the Fun and Mayhem with RFID sessions at What the Hack? ;-) http://www.whatthehack.org/ - ferg -- Brett Frankenberger [EMAIL PROTECTED] wrote: On Thu, Jul 28, 2005 at 07:03:31AM -0700, Eric Rescorla wrote: Can you or someone else who was there or has some details describe what the actual result is and what the fix was? Based on what I've been reading, it sounds like Lynn's result was a method for exploiting arbitrary new vulnerabilities. Are you saying that this method can't be used in future IOS revs? As nearly as I can tell from reports (I wasn't there), he (1) talked about a general way to exploit a buffer overflow to cause arbitrary code execution (this would apply to buffer overflows generally, but would be completely useless if you didn't know of a buffer overflow to exploit), and (2) demonstrated his technique using a previosuly known buffer overflow vulnerability which Cisco has already patched. So Cisco is correct in saying that he didn't identifiy any new vulnerabilities, and Cisco is also correct in saying that the vulnerability he used in his presentation to demonstrate his technique has been patched. However, the same technique will be useful on the next buffer overflow vulnerability to be discovered. -- Brett -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Cisco IOS Exploit Cover Up
One thing that bugs me, though, is the quote that is credited to Lynn: [snip] I feel I had to do what's right for the country and the national infrastructure, he said. It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable. [snip] http://www.securityfocus.com/news/11259 Lynn's statement would tend to make one believe that this is yet another example of a vulnerability that is awaiting an exploit, not one that has yet to be discovered -- a sort of Sword of Damocles, if you will... - ferg -- Brett Frankenberger [EMAIL PROTECTED] wrote: On Thu, Jul 28, 2005 at 07:03:31AM -0700, Eric Rescorla wrote: As nearly as I can tell from reports (I wasn't there), he (1) talked about a general way to exploit a buffer overflow to cause arbitrary code execution (this would apply to buffer overflows generally, but would be completely useless if you didn't know of a buffer overflow to exploit), and (2) demonstrated his technique using a previosuly known buffer overflow vulnerability which Cisco has already patched. So Cisco is correct in saying that he didn't identifiy any new vulnerabilities, and Cisco is also correct in saying that the vulnerability he used in his presentation to demonstrate his technique has been patched. However, the same technique will be useful on the next buffer overflow vulnerability to be discovered. -- Brett
Re: Cisco IOS Exploit Cover Up
Lynn's statement would tend to make one believe that this is yet another example of a vulnerability that is awaiting an exploit, not one that has yet to be discovered -- a sort of Sword of Damocles, if you will... I think he's just pointing out that the risk assessments of many network operators are way off. Some postings to this list certainly suggest that. Too many people seem to have forgotten the work done by Phenoelit. Maybe their exploits leave something to be desired, but, as the saying goes, attacks only get better. In other words, it's not about a single vulnerability. It's about a widespread belief in the invincibility of IOS. And, to be honest, I'm scared how many people subscribe to that religion. Such irrationality puts networks at risk, far more than any single vulnerability could.
RE: Cisco IOS Exploit Cover Up
The video *might* be available on the Washington Post later today. From http://netsec.blogspot.com/ Michael Lynn's The Holy Grail: Cisco Shellcode and Remote Execution presentation blew the doors off of Caesar's Palace Today with a full shell code exec capabilities for nearly ANY Cisco vulnerability. If your organization hasn't updated any Cisco IOS-based devices lately, the devices may be under someone else's control. The story from Michael Lynn proceed like this: He discovered clues that there was an issue being exploited when reading translated Chinese hacker sites that alluded to the issue. It was likely discovered after the theft of the Cisco Source code in May 2004 which was itself part of a larger series of intrusions. Upon further research leading to the development of working proo-of-concept code, he and his former employer ISS notified Cisco. Cisco patched the issue silently in April but never issued an advisory as to the seriousness of the issue. Cisco has since pulled all older, vulnerable versions of IOS from it's web site. After discovering that ISS was allow Lynn to present on the issue, Cisco CEO John Chambers attempted to censor the issue. When ISS stood it's ground, John Chambers requested that the US Government intervene as a matter of national security to no apparent avail. The popular press is starting to pick up on the issue now and I hear rumour that Michael's presentation MIGHT be made available in video via the Washington Post web site tomorrow. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Network Fortius Sent: Wednesday, July 27, 2005 6:39 PM To: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up I have been searching the net since this morning, for The Holy Grail: Cisco IOS Shellcode Remote Execution, or variations of such. This seems to be - at the moment - the most thought after torrent ... Stef Network Fortius, LLC On Jul 27, 2005, at 8:13 PM, Daniel Golding wrote: Since the talk was actually delivered - does anyone have a transcript or a torrent for audio/video? - Dan On 7/27/05 8:10 PM, Jeff Kell [EMAIL PROTECTED] wrote: Cisco's response thus far: http://www.cisco.com/en/US/about/security/intelligence/ MySDN_CiscoIOS.html Jeff
Re: Cisco IOS Exploit Cover Up
On Thu, 28 Jul 2005, Leo Bicknell wrote: In a message written on Thu, Jul 28, 2005 at 08:29:22AM +0100, Neil J. McRae wrote: I couldn't disagree more. Cisco are trying to control the situation as best they can so that they can deploy the needed fixes before the $scriptkiddies start having their fun. Its no different to how any other vendor handles a exploit and I'm surprised to see network operators having such an attitude. This is not a Cisco specific comment, but it is a network operator comment. --snip--- but to make that kind of show in public? What is the motovation? If this bug is, as Cisco puts it, not serious then they just spent a lot of money on people to go do all of that for nothing. Doesn't seem likely. So what everyone's spidy sense is now telling them is Cisco wouldn't spend thousands of dollars on legal injunctions and armys of razor blade toters for nothing, so there must be something to this paper. Which makes their denial all the more hollow. There is the possiblity that cisco, in this case, knows that they have a significant base of folks that 'never upgrade' devices. I know of several thousand 2500's with 11.x code on them, which will NEVER be upgraded... So, the potential for Neil's network or Leo's or Martin's to be vulnerable to something patched in 12.0.x.y.z code train 9 months ago isn't there. That's a good thing for them, it doesn't address the thousands, or hundreds of thousands of devices which never get upgraded and still connect to Neil/Martin/Leo's networks as CPE or cpe to cpe... These devices could still cause some pain to the networks in question. (all this without seeing the talk of course... perhaps he said: push button yellow and router go boom. I don't know.)
RE: Cisco IOS Exploit Cover Up
I think he's just pointing out that the risk assessments of many network operators are way off. I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy. Geo.
RE: Cisco IOS Exploit Cover Up
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Baldwin Sent: Thursday, July 28, 2005 10:36 AM To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up Lynn developed this information based on publicly available IOS images. Well, there is this long legal license agreement you have to click to agree to before you download the images (and I think it is included with the hardware you unpack too). In there somewhere you do agree not to reverse engineer the images (I actually read it all once a long time ago). As to whether that is enforceable, that is for a court to decide. There were no illegal acts committed in gaining this information nor was any proprietary information provided for its development. Reverse engineering, specifically for security testing has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ DVD/1201.html). As I understand it, it is still unsettled case law as to how that clause should be interpreted. It is generally considered a good idea to avoid being the test case for such lawsuits (unless you have deep pockets to afford the best lawyers money can buy, or at least better than what your opposition can buy). That being said, what information is he not supposed to have? All the information he had is available to anyone with a disassembler, an IOS image, and an understanding of PPC assembly. Perhaps, as in at least some companies interpretations of the DMCA, these are software equivalent of the crime of Possession of burglary tools? The US legal system is not as clean nor clear as one might like to hope. But the process will be followed, and we will see what happens. And if the result is bad, we can change the laws. Gary
Re: Cisco IOS Exploit Cover Up
On 7/28/05, Leo Bicknell [EMAIL PROTECTED] wrote: I am not a lawyer, and so under the current DMCA and other laws it may well be illegal to decompile code. I'm sure all the script kiddies and real hackers out there will be sure to obey the law.. This is the bit of the DMCA I have a huge issue with.. Hackers and others engaging in illegal activities will have no trouble breaking the law and decompiling code looking for exploits. But, if a researcher does it, they get slapped with a lawsuit.. The difference being, the researcher is (usually) doing it to help identify problems and increase security.. There should be some safe harbor here.. That said, it sounds rather like the technical equivilant to Ralph Nader disassembling the Corvair to prove the suspension design was flawed. GM sure didn't like that any more than Cisco likes this incident. To prove a flaw.. This is a great example. Nader wasn't stealing technology, nor was he interested in exploitinig the flaw.. He was proving that it was unsafe, thus providing the vendor with vital information on how it was flawed.. Hopefully the vendor takes that information and fixes the flaw.. I don't know when we decided a program should be a black box welded shut kept from all prying eyes, and that anyone who could run a decompiler was instantly a crimimal. It probably all came about from the crazy decision that software should be licensed, not sold. We'd be in a world of hurt if anyone who figured out how to put a lift kit on his pickup was sued by ford for disassembling the truck and figuring out their propretary internal designs. Why is software special? Good point.. :) What about my house? Can I no longer modify my kitchen at the whim of my wife because I didn't build the house, someone else did? I purchased the home, although it's still mortgaged... So that's even worse.. I don't even really own it.. :) Crap.. anyone know a good lawyer? :) -- Leo Bicknell - [EMAIL PROTECTED] - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - [EMAIL PROTECTED], www.tmbg.org -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Cisco IOS Exploit Cover Up
I'm wondering whether Cisco released security advisory for this fix or not. According to several articles, Cisco implemented the fix around April. But I don't recall to see any security advisory for Cisco Users to recommend IOS upgrade. Between April and July, Cisco may have enough time for their account team to contact the customers, and do something about it except sending the people to tear off the conference material. I don't know what happened between ISS, Black Hat, and Cisco, and I don't know how long Cisco knew about this before Black Hat conference. But tearing off one session material from conference material is not common, and it already caught a lot of public attention, which may not be needed. From some of articles, this guy got the clue from Chinese website, so it may be already known to underground community. Buhrmaster, Gary wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Baldwin Sent: Thursday, July 28, 2005 10:36 AM To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Cisco IOS Exploit Cover Up Lynn developed this information based on publicly available IOS images. Well, there is this long legal license agreement you have to click to agree to before you download the images (and I think it is included with the hardware you unpack too). In there somewhere you do agree not to reverse engineer the images (I actually read it all once a long time ago). As to whether that is enforceable, that is for a court to decide. There were no illegal acts committed in gaining this information nor was any proprietary information provided for its development. Reverse engineering, specifically for security testing has an exemption from the DMCA (http://cyber.law.harvard.edu/openlaw/ DVD/1201.html). As I understand it, it is still unsettled case law as to how that clause should be interpreted. It is generally considered a good idea to avoid being the test case for such lawsuits (unless you have deep pockets to afford the best lawyers money can buy, or at least better than what your opposition can buy). That being said, what information is he not supposed to have? All the information he had is available to anyone with a disassembler, an IOS image, and an understanding of PPC assembly. Perhaps, as in at least some companies interpretations of the DMCA, these are software equivalent of the crime of Possession of burglary tools? The US legal system is not as clean nor clear as one might like to hope. But the process will be followed, and we will see what happens. And if the result is bad, we can change the laws. Gary
Re: Cisco IOS Exploit Cover Up
Thus spake James Baldwin [EMAIL PROTECTED] Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it. Cisco's policy, as best I can tell, is that they patch security holes immediately but delay notification until either (a) six months pass, or (b) an exploit is seen in the wild. The former is intended to give customers ample time to upgrade to patched versions (often without their knowledge) without tipping their hand to the bad guys. However, a CERT advisory is prepared and ready for immediate distribution if the latter occurs. How many network engineers knew there was a potential problem of this magnitude at the beginning of May? If, knock on wood, someone had released this code into the wild then how many networks who have been vulnerable despite the availability of a fix? There are network engineers that knew, but they couldn't admit it due to NDAs. This is one of the benefits of buying high touch support contracts -- and Cisco is not alone in that model. S Stephen Sprunk Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do. K5SSS --Isaac Asimov
Re: Cisco IOS Exploit Cover Up
On Thu, 28 Jul 2005, Jason Frisvold wrote: On 7/27/05, Jeff Kell [EMAIL PROTECTED] wrote: Cisco's response thus far: http://www.cisco.com/en/US/about/security/intelligence/MySDN_CiscoIOS.html More fuel on the fire... Cisco and ISS are suing Lynn now... http://news.zdnet.co.uk/internet/security/0,39020375,39211011,00.htm Not the first time Cisco has had a highly questionable attitude toward security issues, even recently: http://kerneltrap.org/node/5382 (cisco, lawyers, and patents). Is this the start of a new pattern of behavior for cisco, or just more of the same? -Dan
RE: Cisco IOS Exploit Cover Up
I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy. could they be unpatched because no one has sent out a notice saying versions before X have known vulnerabilities. upgrade now to one of the following: ...? randy
RE: Cisco IOS Exploit Cover Up
On Fri, 29 Jul 2005, Randy Bush wrote: could they be unpatched because no one has sent out a notice saying versions before X have known vulnerabilities. upgrade now to one of the following: ...? It's interesting...yes, I do make fun of my Windows brethren about their security problems, but the fact is they have it pretty easy since you know when MS security patches are coming out and you know when you'll have to patch your servers. But Cisco doesn't seem to make it that easy to keep a large environment of their devices up to date. Some better tools from them would be good - even for those of us who do have support contracts. -- John A. Kilpatrick [EMAIL PROTECTED]Email| http://www.hypergeek.net/ [EMAIL PROTECTED] Text pages| ICQ: 19147504 remember: no obstacles/only challenges
Re: Cisco IOS Exploit Cover Up
I spoke with people with Lynn in Vegas and confirmed the following, if anyone is watching the AP wire or Forbes you'll see that Cisco, et al. and Lynn have settled the suit. http://www.forbes.com/business/feeds/ap/2005/07/28/ap2163964.html
Re: Cisco IOS Exploit Cover Up
I spoke with people with Lynn in Vegas and confirmed the following, if anyone is watching the AP wire or Forbes you'll see that Cisco, et al. and Lynn have settled the suit. i missed the part where we, the likely actual injured parties, learn to what we are vulnerable and how to protect ourselves. randy
Re: Cisco IOS Exploit Cover Up
On Jul 28, 2005, at 8:40 PM, Randy Bush wrote: I spoke with people with Lynn in Vegas and confirmed the following, if anyone is watching the AP wire or Forbes you'll see that Cisco, et al. and Lynn have settled the suit. i missed the part where we, the likely actual injured parties, learn to what we are vulnerable and how to protect ourselves. I would direct you to your account manager at Cisco. ;)
RE: Cisco IOS Exploit Cover Up
On Fri, 29 Jul 2005, Randy Bush wrote: I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy. could they be unpatched because no one has sent out a notice saying versions before X have known vulnerabilities. upgrade now to one of the following: ...? or... cause new IOS won't run on them.
RE: Cisco IOS Exploit Cover Up
For those who like to keep abreast of security issues, there are interesting developments happening at BlackHat with regards to Cisco IOS and its vulnerability to arbitrary code executions. I apologize for the article itself being brief and lean on technical details, but allow me to say that it does represent a real problem (as in practical and confirmed): http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_ hole_.html Yes, practical _and_ confirmed, but you'll never get $vendor to admit it, which is the problem to begin with. -M
Re: Cisco IOS Exploit Cover Up
On Jul 27, 2005, at 1:26 PM, James Baldwin wrote: http://blogs.washingtonpost.com/securityfix/2005/07/ mending_a_hole_.html Further information: http://www.crn.com/sections/breakingnews/breakingnews.jhtml? articleId=166403096
RE: Cisco IOS Exploit Cover Up
For what ot's worth, this story is running in the popular trade press: Cisco nixes conference session on hacking IOS router code http://www.networkworld.com/news/2005/072705-cisco-ios.html - ferg -- Hannigan, Martin [EMAIL PROTECTED] wrote: For those who like to keep abreast of security issues, there are interesting developments happening at BlackHat with regards to Cisco IOS and its vulnerability to arbitrary code executions. I apologize for the article itself being brief and lean on technical details, but allow me to say that it does represent a real problem (as in practical and confirmed): http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_ hole_.html Yes, practical _and_ confirmed, but you'll never get $vendor to admit it, which is the problem to begin with. -M -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Cisco IOS Exploit Cover Up
Damn he sure did cause a shit storm AGAIN.. from the crn article it looks like they might have him pinned on an NDA violation.. (taking a shot in the dark) quote below. Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners, the company said in a statement released Wednesday. It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained. Which i find is funny because i know that for years people have been beating up on him for more info into the cisco wireless cards that he had access to under NDA. He never once budged from what i know of and heard. Damn guess we will have to wait and see what happens, to bad i missed the talk. On 7/27/05, Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: For what ot's worth, this story is running in the popular trade press: Cisco nixes conference session on hacking IOS router code http://www.networkworld.com/news/2005/072705-cisco-ios.html - ferg -- Hannigan, Martin [EMAIL PROTECTED] wrote: For those who like to keep abreast of security issues, there are interesting developments happening at BlackHat with regards to Cisco IOS and its vulnerability to arbitrary code executions. I apologize for the article itself being brief and lean on technical details, but allow me to say that it does represent a real problem (as in practical and confirmed): http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_ hole_.html Yes, practical _and_ confirmed, but you'll never get $vendor to admit it, which is the problem to begin with. -M -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
RE: Cisco IOS Exploit Cover Up
...and Wired News is running this story: Cisco Security Hole a Whopper Excerpt: [snip] A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit. Michael Lynn, a former research analyst with Internet Security Solutions, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here. [snip] http://www.wired.com/news/privacy/0,1848,68328,00.html - ferg -- Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: For what ot's worth, this story is running in the popular trade press: Cisco nixes conference session on hacking IOS router code http://www.networkworld.com/news/2005/072705-cisco-ios.html - ferg -- Hannigan, Martin [EMAIL PROTECTED] wrote: For those who like to keep abreast of security issues, there are interesting developments happening at BlackHat with regards to Cisco IOS and its vulnerability to arbitrary code executions. I apologize for the article itself being brief and lean on technical details, but allow me to say that it does represent a real problem (as in practical and confirmed): http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_ hole_.html Yes, practical _and_ confirmed, but you'll never get $vendor to admit it, which is the problem to begin with. -M -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
RE: Cisco IOS Exploit Cover Up
..and of course: Cisco Denies Router Vulnerability Claims [snip] Cisco Systems is downplaying a news story that suggests new security flaws may have been discovered in some of its routers. [snip] http://www.varbusiness.com/components/weblogs/article.jhtml?articleId=166403151 So, until the _facts_ come out, this appears to be spin vs. spin (a play on spy v. spy, for all you Alfred E. Newman fans)... - ferg -- Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: ...and Wired News is running this story: Cisco Security Hole a Whopper Excerpt: [snip] A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit. Michael Lynn, a former research analyst with Internet Security Solutions, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here. [snip] http://www.wired.com/news/privacy/0,1848,68328,00.html - ferg -- Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: For what ot's worth, this story is running in the popular trade press: Cisco nixes conference session on hacking IOS router code http://www.networkworld.com/news/2005/072705-cisco-ios.html - ferg -- Hannigan, Martin [EMAIL PROTECTED] wrote: For those who like to keep abreast of security issues, there are interesting developments happening at BlackHat with regards to Cisco IOS and its vulnerability to arbitrary code executions. I apologize for the article itself being brief and lean on technical details, but allow me to say that it does represent a real problem (as in practical and confirmed): http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_ hole_.html Yes, practical _and_ confirmed, but you'll never get $vendor to admit it, which is the problem to begin with. -M -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Cisco IOS Exploit Cover Up
and talk about closing the barn door after the horse has escaped!?? Haven't they just turned those 15 pages scanned as a pdf and distributed over a p2p file sharing system like bit torrent into likely one of the the most sought after documents on the planet? How long before they show up there? If they aren't there already. = The COOK Report on Internet Protocol, 431 Greenway Ave, Ewing, NJ 08618 USA 609 882-2572 (PSTN) 415 651-4147 (Lingo) [EMAIL PROTECTED] Subscription info: http://cookreport.com/subscriptions.shtml New report: The Only Sustainable Edge vs The Oligopoly at: http://cookreport.com/14.06.shtml = On Jul 27, 2005, at 11:50 PM, Fergie (Paul Ferguson) wrote: ...and Wired News is running this story: Cisco Security Hole a Whopper Excerpt: [snip] A bug discovered in an operating system that runs the majority of the world's computer networks would, if exploited, allow an attacker to bring down the nation's critical infrastructure, a computer security researcher said Wednesday against threat of a lawsuit. Michael Lynn, a former research analyst with Internet Security Solutions, quit his job at ISS Tuesday morning before disclosing the flaw at Black Hat Briefings, a conference for computer security professionals held annually here. [snip] http://www.wired.com//privacy/0,1848,68328,00.html - ferg -- Fergie (Paul Ferguson) [EMAIL PROTECTED] wrote: For what ot's worth, this story is running in the popular trade press: Cisco nixes conference session on hacking IOS router code http://www.networkworld.com/news/2005/072705-cisco-ios.html - ferg -- Hannigan, Martin [EMAIL PROTECTED] wrote: For those who like to keep abreast of security issues, there are interesting developments happening at BlackHat with regards to Cisco IOS and its vulnerability to arbitrary code executions. I apologize for the article itself being brief and lean on technical details, but allow me to say that it does represent a real problem (as in practical and confirmed): http://blogs.washingtonpost.com/securityfix/2005/07/mending_a_ hole_.html Yes, practical _and_ confirmed, but you'll never get $vendor to admit it, which is the problem to begin with. -M -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet [EMAIL PROTECTED] or [EMAIL PROTECTED] ferg's tech blog: http://fergdawg.blogspot.com/
Re: Cisco IOS Exploit Cover Up
Cisco's response thus far: http://www.cisco.com/en/US/about/security/intelligence/MySDN_CiscoIOS.html Jeff
Re: Cisco IOS Exploit Cover Up
Since the talk was actually delivered - does anyone have a transcript or a torrent for audio/video? - Dan On 7/27/05 8:10 PM, Jeff Kell [EMAIL PROTECTED] wrote: Cisco's response thus far: http://www.cisco.com/en/US/about/security/intelligence/MySDN_CiscoIOS.html Jeff
Re: Cisco IOS Exploit Cover Up
I have been searching the net since this morning, for “The Holy Grail: Cisco IOS Shellcode Remote Execution”, or variations of such. This seems to be - at the moment - the most thought after torrent ... Stef Network Fortius, LLC On Jul 27, 2005, at 8:13 PM, Daniel Golding wrote: Since the talk was actually delivered - does anyone have a transcript or a torrent for audio/video? - Dan On 7/27/05 8:10 PM, Jeff Kell [EMAIL PROTECTED] wrote: Cisco's response thus far: http://www.cisco.com/en/US/about/security/intelligence/ MySDN_CiscoIOS.html Jeff
RE: Cisco IOS Exploit Cover Up
..and of course: Cisco Denies Router Vulnerability Claims [snip] Of course. That's how a broken vuln system works. :-) The major flaw is that the vendor decides who gets to know about a vulnerability. This causes an insecurity in the system because $vendor is dealing with people usually more qualified than themselves to make a decision on who needs to know and make one independant of revenue-- . $vendor is probably not the best person to decide who gets on the secret-15 lists et. al. -M
