lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 29 Mar 2004 18:10:50 -0800
From: Michael Reilly <michaelr@...co.com>
To: "Burton M. Strauss III" <security@...llNetSolutions.com>
Cc: full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com,
   Jason Dodson <mindchild@...oo.com>, "Geo." <geoincident1@...info.org>
Subject: Re: RE: Addressing Cisco Security Issues


Not to take sides in this but I ran into a similar thing with my ESP.  I 
could have easily obtained the image but I talked with my ESP.  Turns out 
they have some valid concerns about people downing an image the ESP has not 
provided.  In this case the major concern was making sure the customer got 
the correct image (there are four different ones available for my 678 and 
only one of them works with my ISP).  They were also concerned about the 
possibility of an image they haven't tested causing problems with their 
equipment/network.

I do not have the answer - just pointing out that doing the right thing 
isn't always simple.

I am not writing for Cisco - just describing my own experience.

michael
Burton M. Strauss III wrote:
> Really, your gripe is with Alltel which refused to provide it to you.
> 
> Maybe a non-Alltel e-mail account is a red flag, but they certainly should
> have been willing to provide it to the contact address they have on your
> account.  Whether electronically or via snail mail - I'm SURE they have an
> address for you so you can be billed, right???
> 
> In Cisco's defense, there are 1000s (10000s? 100000s?) of these units out
> there and most of them have ISP specific configurations.  If you apply
> generic firmware, you are going to wipe the settings - and Cisco has no way
> of knowing how the unit was configured.
> 
> Still, it would be best practices for Cisco to provide the generic firmware,
> with a document showing how to save and restore the settings.  However, they
> may not be contractually able to do so...
> 
> -----Burton
> 
> 
> 
>>I have to post this because I consider this to be a security issue in it's
>>own right.
>>
>>Recently there were a number of exploits released for cisco
>>equipment, among
>>the affected equipment were the 677 and 678 consumer DSL routers of which
>>there are millions in use.
>>
>>I have one such router, the DSL circuit is provided by Alltel and I work
> 
> for
> 
>>the ISP who provides the actual internet access.
>>
>>So upon reading recent warning notice sent to the security email lists
> 
> about
> 
>>the exploits being publicly available I went and read
>>http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much says
>>any router running a version of CBOS prior to 2.4.5 (actually you need
> 
> 2.4.6
> 
>>because of later exploits) is vulnerable.
>>
>>So like a good netizen I contacted cisco TAC via telephone, gave them my
> 
> 678
> 
>>serial number and they informed me that they could not provide the
> 
> security
> 
>>update because my router is registered to alltel (alltel did provide the
>>router when I ordered the DSL circuit), please call Alltel to
>>get it. Ok so
>>then I called Alltel, who told me no problem we can email you the update
> 
> and
> 
>>asked for my email address. Except since Alltel is not the ISP I don't
> 
> have
> 
>>an alltel email address so then they won't email it to me, please contact
>>your ISP. I then informed Alltel that I AM MY ISP to which they replied
> 
> they
> 
>>still could not provide the patch and that I would have to get it from
>>Cisco.
>>
>>So then I call Cisco TAC again, this time I explain the full details of
> 
> all
> 
>>I've just been thru and the tech decides to ask someone. Comes back and
> 
> says
> 
>>if I register on the cisco website that he can open a ticket and get
> 
> someone
> 
>>to call me back on it. (I'm presently waiting for that call)
>>
>>In the mean time I decided to google for it and low and behold I found
> 
> 2.4.6
> 
>>on a website (url not posted to protect the life saving individuals who
> 
> put
> 
>>it on the web). Now of course I've no way to know if this version I just
>>found is safe or not but HELLO CISCO???
>>
>>If you are going to issue security alerts that require ISP's and consumers
>>to patch their hardware devices then you had better damn well make sure
> 
> that
> 
>>folks can actually GET THE PATCHES. It would require no effort at all to
>>post a bogus version full of back doors and whatnot on the web and after
>>seeing the nightmare it is to obtain the patch thru official channels it's
>>clear to me that this would be a very popular download.
>>
>>Geo.
>>
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
---- ---- ----
Michael Reilly    michaelr@...co.com
     Cisco Systems, Santa Cruz, CA

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ