8/1/2005 -- In a certain sense, Cisco CEO John Chambers got what he wished for. Several months ago, you’ll recall, Chambers kicked off a new, security-centric phase in Cisco’s technology development, promising -- above all else -- that his company would innovate relentlessly to enhance the security of its products.

Last week, Cisco had a textbook opportunity to take the security high ground. Depending on who you talk to, the networking giant either got a passing grade (until all of the facts are in, at least) or failed miserably.

At this year’s Black Hat USA security confab, held last week in Las Vegas, security researcher Michael Lynn -- late of Internet Security Systems (ISS) -- defied both his employer and Cisco by demonstrating a flaw in IOS and IOS XR that could allow an attacker to gain control of a Cisco router. As it turns out, Lynn actually had to quit his job to give the talk: ISS had agreed (apparently with some encouragement from Cisco) to pull the presentation from the event.

Things got nastier, too: Cisco and ISS sought to impose a gag order against Lynn and Black Hat coordinators, although the two sides ultimately reached a compromise -- namely, that Lynn was to turn over any Cisco source code in his possession and never again disclose the details of his Black Hat talk.

The attack outlined by Lynn exploits a known IPv6 security flaw in IOS and IOS XR, which Cisco fixed (in version 3.2 of IOS XR, that is) this April. If exploited, Lynn claimed, the vulnerability could have an immediate and profound impact on Internet service -- in some cases, he claimed, it was possible to exploit the vulnerability in such a way so as to destroy a Cisco router.

Taking into account Cisco’s perceived tardiness in patching the flaw, along with the much-publicized theft of Cisco’s IOS source code last year, Lynn said he had to act. “I did not think the nation's interest was served by waiting another year, when a router worm would be a serious threat,” the security researcher told attendees at a news conference last week.

By July 29, Cisco confirmed that IOS is vulnerable to DoS and arbitrary code execution by means of a specifically crafted IPv6 packet.

According to Cisco, however, there are a number of key caveats: The packet must be sent from a local network segment (i.e., the vulnerability cannot be exploited one or more hops from a target device), and only devices that have been explicitly configured to process IPv6 traffic are affected. Cisco provided a software patch that it said would address this vulnerability.

Cisco’s caveats were rebuffed by Lynn and other Black Hat researchers, who said that -- contrary to the networking giant’s claims -- an attacker could exploit the IOS IPv6 vulnerability remotely.

Cisco and ISS, for their part, claim that they’d put off disclosing the vulnerability to more fully assess its potential impact. It’s not clear, however, why Cisco fixed the issue in version 3.2 of IOS XR, but did not issue a patch (at least, not until prompted by Lynn) for IOS and for versions of IOS XR prior to 3.2. -Stephen Swoyer