| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mindchild at yahoo.com (Jason Dodson) Subject: Re: Addressing Cisco Security Issues I have had a similar run-around with AT&T Broadband and Sprint a while back, pertaining to a DoS attack my organization was experiencing. Not to dive into details, to resolve the issue, I got them both on the line in a 3-way conversation, and it was taken care of in less then 5 minutes. They didn't seem to eager to shrug off the responsibility to someone else, when that someone else was right there on the phone. Jason Dodson --- "Geo." <geoincident1@...info.org> wrote: > I have to post this because I consider this to be a security issue in it's > own right. > > Recently there were a number of exploits released for cisco equipment, among > the affected equipment were the 677 and 678 consumer DSL routers of which > there are millions in use. > > I have one such router, the DSL circuit is provided by Alltel and I work for > the ISP who provides the actual internet access. > > So upon reading recent warning notice sent to the security email lists about > the exploits being publicly available I went and read > http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much says > any router running a version of CBOS prior to 2.4.5 (actually you need 2.4.6 > because of later exploits) is vulnerable. > > So like a good netizen I contacted cisco TAC via telephone, gave them my 678 > serial number and they informed me that they could not provide the security > update because my router is registered to alltel (alltel did provide the > router when I ordered the DSL circuit), please call Alltel to get it. Ok so > then I called Alltel, who told me no problem we can email you the update and > asked for my email address. Except since Alltel is not the ISP I don't have > an alltel email address so then they won't email it to me, please contact > your ISP. I then informed Alltel that I AM MY ISP to which they replied they > still could not provide the patch and that I would have to get it from > Cisco. > > So then I call Cisco TAC again, this time I explain the full details of all > I've just been thru and the tech decides to ask someone. Comes back and says > if I register on the cisco website that he can open a ticket and get someone > to call me back on it. (I'm presently waiting for that call) > > In the mean time I decided to google for it and low and behold I found 2.4.6 > on a website (url not posted to protect the life saving individuals who put > it on the web). Now of course I've no way to know if this version I just > found is safe or not but HELLO CISCO??? > > If you are going to issue security alerts that require ISP's and consumers > to patch their hardware devices then you had better damn well make sure that > folks can actually GET THE PATCHES. It would require no effort at all to > post a bogus version full of back doors and whatnot on the web and after > seeing the nightmare it is to obtain the patch thru official channels it's > clear to me that this would be a very popular download. > > Geo. > __________________________________ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html
Powered by blists - more mailing lists