lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42E8C7CD.22290.94F4C8C@localhost>
Date: Thu Jul 28 11:56:09 2005
From: stuart at cyberdelix.net (lsi)
Subject: (Fwd) Cisco,
	ISS file suit against rogue researcher

[summary: this is not good news.  ISS have cracked IOS, and Cisco is 
trying to suppress it.  Which means, the bad guys have got the info 
to work with, but the good guys can't defend against it (since the 
info is "incomplete").  All we can say for now is that IOS is clearly 
vulnerable and this puts all Cisco routers at risk.  The fact that 
Cisco are trying to suppress it suggests the threat is real.  But due 
to the information vacuum created by Cisco's attempted suppression, 
it's not possible to suggest a workaround. For now, the best 
workaround is to avoid purchasing or using Cisco kit. What's the bet 
Cisco's big customers have got the inside track?  Surely they 
couldn't deny the fault to the DOD. - Stu]  

------- Forwarded message follows -------

http://www.securityfocus.com/news/11259

Cisco, ISS file suit against rogue researcher
Robert Lemos, SecurityFocus 2005-07-27


LAS VEGAS--Networking giant Cisco and security company Internet 
Security Systems filed on Wednesday a restraining order against the 
management of the Black Hat Conference and a security expert who told 
conference attendees that attackers can broadly compromise Cisco 
routers. 


? What politicians are talking about when they talk about the Digital 
Pearl Harbor is a network worm. That's what we could see in the 
future, if this isn't fixed. ?


Michael Lynn, independent security researcher and discoverer of a 
reliable method for running code on Cisco routers 

The legal action followed a presentation by security researcher 
Michael Lynn, a former ISS employee, who brushed off threats of legal 
action and a broad effort to delete his presentation from conference 
materials to warn attendees that malicious programs could be run on 
Cisco routers. 

While the information had already been presented by Lynn, a Cisco 
spokesman said that the companies wanted to prevent further 
dissemination of inside information about Cisco's routers.

"We don't want them to further discuss it," said Cisco spokesman John 
Noh. "This is about protecting our intellectual property." 

Three weeks of intense discussions between ISS, the researcher, 
Cisco, and conference management failed on Wednesday. Two days 
before, Cisco representatives spent eight hours ripping out the ten-
page presentation from the conference book and ISS executives decided 
to pull the presentation, allowing researcher Lynn to speak on a 
different topic.

In a dramatic reversal on Wednesday, Lynn told attendees he tendered 
his resignation to ISS less than two hours before he went on stage to 
present his findings, then proceeded to describe a reliable way to 
run programs by exploiting the Internet Operating System (IOS), the 
core software for Cisco routers. 

"I feel I had to do what's right for the country and the national 
infrastructure," he said. "It has been confirmed that bad people are 
working on this (compromising IOS). The right thing to do here is to 
make sure that everyone knows that it's vulnerable."

A majority of the Internet infrastructure relies on Cisco networking 
hardware to route data from one computer to another. While security 
researchers have found flaws in the IOS router software in the past, 
almost all the vulnerabilities have only allowed an attacker to 
degrade communications in what is known as a denial-of-service 
attack.

Lynn outlined a way to take control of an IOS-based router, using a 
buffer overflow or a heap overflow, two types of memory 
vulnerabilities. He demonstrated the attack using a vulnerability 
that Cisco fixed in April. While that flaw is patched, he stressed 
that the attack can be used with any new buffer overrun or heap 
overflow, adding that running code on a router is a serious threat.

"When you attack a host machine, you gain control of that machine--
when you control a router, you gain control of the network," Lynn 
said.

ISS disavowed any foreknowledge of Lynn's intent to resign and 
present his findings. Cisco condemned the talk in strong terms that 
suggested the company may initiate legal action against the 
researcher and the conference, describing the presentation as the 
illegal publication of proprietary material.

"It is especially regretful, and indefensible, that the Black Hat 
Conference organizers have given Mr. Lynn a platform to publicly 
disseminate the information he illegally obtained," the company said 
in a statement. "We appreciate the cooperation we have received from 
ISS in this matter. We are working with ISS to continue our joint 
research in the area of security vulnerabilities." 

For his part, Black Hat Conference organizer and founder Jeff Moss 
denied that he had any idea of Lynn's intent. 

"He told me yesterday that he would do his backup presentation," Moss 
said after the controversial presentation. Moss said he had worked 
hard to address Cisco's concerns with the original presentation. "We 
were in the middle of trying to run a conference and lawyers from 
Cisco were talking about a temporary restraining order." 

The controversy is the latest rift between security researchers who 
find vulnerabilities and the software companies whose products 
contain the flaws. Last week, researchers at Red Database Security 
took Oracle to task for waiting more than two years to fix 
vulnerabilities. In April, U.K.-based researchers weathered legal 
threats from Sybase to negotiate an agreement in order to release 
details of several flaws in that company's database. 

In the latest case, ISS and Lynn contacted Cisco in April to report 
their process for using a vulnerability in IOS to run a program on a 
Cisco router. The networking fixed the vulnerability in the operating 
system, but did nothing to prevent attackers from running programs on 
the devices using the broad techniques Lynn described, the researcher 
said. 

During his presentation, Lynn outlined an eight step process using 
any known, but unpatched flaw, to compromise a Cisco IOS-based 
router. While he did not publish any vulnerabilities, Lynn said that 
finding new flaws would not be hard. 

"People aren't looking at this because they don't think gaining 
control of a router is doable, but there are a lot of bugs to find," 
he said.

Executives from Internet Security Systems defended their decision to 
cancel the session. The presentation had been pulled because it was 
"incomplete," said Chris Rouland , chief technology officer for the 
Altanta, Georgia-based company. 

"We had been working with Cisco to explore the viability of 
exploitation of older IOS vulnerabilities," Rouland said. "We felt 
that we had done as much as we could on our own and needed to 
approach Cisco." 

Both Cisco and ISS recommended that customers update their router 
software on a regular basis. Moreover, the sheer number of different 
models of routers and gateways makes it more difficult for an 
attacker to create an exploit to work against them all. 

In a presentation that had all the hallmarks of good theater, Lynn 
stated several times that the information that he was presenting 
would likely result in legal action against him.

"What I just did means that I'm about to get sued by Cisco and ISS," 
Lynn said, joking later that he may be "in Guantanamo" by the end of 
the week. 

However, Lynn argued that the seriousness of the attack left him no 
choice but to let people know the existence of the weakness in the 
software. Cisco plans in the future to abstract the architecture of 
the router operating system in the future, which could have a side 
effect of making a single attack work against all routers. Rather 
then knowing the various memory addresses, or offsets, needed to 
compromise systems, a single offset could work, Lynn said. 

"What politicians are talking about when they talk about the Digital 
Pearl Harbor is a network worm," he said. "That's what we could see 
in the future, if this isn't fixed." 

This article was updated with the latest information about Cisco and 
ISS filing their temporary restraining order against Michael Lynn and 
the Black Hat Conference management. The original article was posted 
at 2 p.m. PST on Wednesday.

------- End of forwarded message -------

---
Stuart Udall
stuart at@...erdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ