CertCities.com -- The Ultimate Site for Certified IT Professionals
Listen, See, Win! Register for a Free Tech Library Webcast Share share | bookmark | e-mail
  Microsoft®
  Cisco®
  Security
  Oracle®
  A+/Network+"
  Linux/Unix
  More Certs
  Newsletters
  Salary Surveys
  Forums
  News
  Exam Reviews
  Tips
  Columns
  Features
  PopQuiz
  RSS Feeds
  Press Releases
  Contributors
  About Us
  Search
 

Advanced Search
  Free Newsletter
  Sign-up for the #1 Weekly IT
Certification News
and Advice.
Subscribe to CertCities.com Free Weekly E-mail Newsletter
CertCities.com

See What's New on
Redmondmag.com!

Cover Story: IE8: Behind the 8 Ball

Tech-Ed: Let's (Third) Party!

A Secure Leap into the Cloud

Windows Mobile's New Moves

SQL Speed Secrets


CertCities.com
Let us know what you
think! E-mail us at:



 
 
...Home ... Editorial ... News ..News Story Tuesday: December 28, 2010


Cisco’s Security Black Eye


8/1/2005 -- In a certain sense, Cisco CEO John Chambers got what he wished for. Several months ago, you’ll recall, Chambers kicked off a new, security-centric phase in Cisco’s technology development, promising -- above all else -- that his company would innovate relentlessly to enhance the security of its products.

Last week, Cisco had a textbook opportunity to take the security high ground. Depending on who you talk to, the networking giant either got a passing grade (until all of the facts are in, at least) or failed miserably.

At this year’s Black Hat USA security confab, held last week in Las Vegas, security researcher Michael Lynn -- late of Internet Security Systems (ISS) -- defied both his employer and Cisco by demonstrating a flaw in IOS and IOS XR that could allow an attacker to gain control of a Cisco router. As it turns out, Lynn actually had to quit his job to give the talk: ISS had agreed (apparently with some encouragement from Cisco) to pull the presentation from the event.

Things got nastier, too: Cisco and ISS sought to impose a gag order against Lynn and Black Hat coordinators, although the two sides ultimately reached a compromise -- namely, that Lynn was to turn over any Cisco source code in his possession and never again disclose the details of his Black Hat talk.

The attack outlined by Lynn exploits a known IPv6 security flaw in IOS and IOS XR, which Cisco fixed (in version 3.2 of IOS XR, that is) this April. If exploited, Lynn claimed, the vulnerability could have an immediate and profound impact on Internet service -- in some cases, he claimed, it was possible to exploit the vulnerability in such a way so as to destroy a Cisco router.

Taking into account Cisco’s perceived tardiness in patching the flaw, along with the much-publicized theft of Cisco’s IOS source code last year, Lynn said he had to act. “I did not think the nation's interest was served by waiting another year, when a router worm would be a serious threat,” the security researcher told attendees at a news conference last week.

By July 29, Cisco confirmed that IOS is vulnerable to DoS and arbitrary code execution by means of a specifically crafted IPv6 packet.

According to Cisco, however, there are a number of key caveats: The packet must be sent from a local network segment (i.e., the vulnerability cannot be exploited one or more hops from a target device), and only devices that have been explicitly configured to process IPv6 traffic are affected. Cisco provided a software patch that it said would address this vulnerability.

Cisco’s caveats were rebuffed by Lynn and other Black Hat researchers, who said that -- contrary to the networking giant’s claims -- an attacker could exploit the IOS IPv6 vulnerability remotely.

Cisco and ISS, for their part, claim that they’d put off disclosing the vulnerability to more fully assess its potential impact. It’s not clear, however, why Cisco fixed the issue in version 3.2 of IOS XR, but did not issue a patch (at least, not until prompted by Lynn) for IOS and for versions of IOS XR prior to 3.2.  -Stephen Swoyer



There are 2 CertCities.com user Comments for “Cisco’s Security Black Eye”
Page 1 of 1
8/2/05: ITDefPat from itdefpat.blogspot.com says: Black Eye? More like "down for the count"... but enough with the metaphors. This was a Cisco act to cover themselves, as noted above, for not categorizing this as a critical, exploitable hack. From a consensus of reports, it seems that Mr. Lynn's article was properly vetted. My guess is that sometime between previewing the paper and its presentation, Cisco discovered the extreme severity of the flaw (only a guess). Despite Cisco's litigious attempts to prevent disclosure, Lynn presented the exploit. Also, it seems that there are a great number of copies of the presentation on the Internet despite Cisco's attemtps. The silver lining in all this is that patches will be applied and maybe our networks will be protected, despite the coverup.
8/2/05: Jim from Columbus, OH says: It seems more and more that Cisco is acting like Microsoft. Rather than acknowledging problems and working to fix them, they hide these problems. I guess when your the big dog on the block you don't have to worry about the customer.
Your comment about: “Cisco’s Security Black Eye”
Name: (optional)
Location: (optional)
E-mail Address: (optional)
Comment:
   

-- advertisement (story continued below) --

top