lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040329193538.83651.qmail@web60607.mail.yahoo.com>
Date: Mon, 29 Mar 2004 11:35:38 -0800 (PST)
From: Jason Dodson <mindchild@...oo.com>
To: "Geo." <geoincident1@...info.org>,
	full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Re: Addressing Cisco Security Issues


I have had a similar run-around with AT&T Broadband and Sprint a while back, pertaining to a DoS
attack my organization was experiencing. Not to dive into details, to resolve the issue, I got
them both on the line in a 3-way conversation, and it was taken care of in less then 5 minutes.
They didn't seem to eager to shrug off the responsibility to someone else, when that someone else
was right there on the phone.

Jason Dodson

--- "Geo." <geoincident1@...info.org> wrote:
> I have to post this because I consider this to be a security issue in it's
> own right.
> 
> Recently there were a number of exploits released for cisco equipment, among
> the affected equipment were the 677 and 678 consumer DSL routers of which
> there are millions in use.
> 
> I have one such router, the DSL circuit is provided by Alltel and I work for
> the ISP who provides the actual internet access.
> 
> So upon reading recent warning notice sent to the security email lists about
> the exploits being publicly available I went and read
> http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much says
> any router running a version of CBOS prior to 2.4.5 (actually you need 2.4.6
> because of later exploits) is vulnerable.
> 
> So like a good netizen I contacted cisco TAC via telephone, gave them my 678
> serial number and they informed me that they could not provide the security
> update because my router is registered to alltel (alltel did provide the
> router when I ordered the DSL circuit), please call Alltel to get it. Ok so
> then I called Alltel, who told me no problem we can email you the update and
> asked for my email address. Except since Alltel is not the ISP I don't have
> an alltel email address so then they won't email it to me, please contact
> your ISP. I then informed Alltel that I AM MY ISP to which they replied they
> still could not provide the patch and that I would have to get it from
> Cisco.
> 
> So then I call Cisco TAC again, this time I explain the full details of all
> I've just been thru and the tech decides to ask someone. Comes back and says
> if I register on the cisco website that he can open a ticket and get someone
> to call me back on it. (I'm presently waiting for that call)
> 
> In the mean time I decided to google for it and low and behold I found 2.4.6
> on a website (url not posted to protect the life saving individuals who put
> it on the web). Now of course I've no way to know if this version I just
> found is safe or not but HELLO CISCO???
> 
> If you are going to issue security alerts that require ISP's and consumers
> to patch their hardware devices then you had better damn well make sure that
> folks can actually GET THE PATCHES. It would require no effort at all to
> post a bogus version full of back doors and whatnot on the web and after
> seeing the nightmare it is to obtain the patch thru official channels it's
> clear to me that this would be a very popular download.
> 
> Geo.
> 


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ