Cisco IOS Exploit Cover Up

• Previous message (by thread): Cisco IOS Exploit Cover Up
• Next message (by thread): Cisco IOS Exploit Cover Up
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote:


> I couldn't disagree more. Cisco are trying to control the
> situation as best they can so that they can deploy the needed
> fixes before the $scriptkiddies start having their fun. Its
> no different to how any other vendor handles a exploit and
> I'm surprised to see network operators having such an attitude.
>

That's part of the issue: this wasn't an exploit in the sense of  
something a $scriptkiddie could exploit. The sheer technical  
requirements of the exploit itself ensure that it will only be  
reproduced by a small number of people across the globe. There was no  
source or proof of concept code released and duplicating the  
information would only provide you a method to increase the severity  
of other potential exploits. It does not create any new exploits.  
Moreover, the fix for this was already released and you have not been  
able to download a vulnerable version of the software for months  
however there was no indication from Cisco regarding the severity of  
the required upgrade. That is to say, they knew in April that  
arbitrary code execution was possible on routers, they had it fixed  
by May, and we're hearing about it now and if Cisco had its way we  
might still not be hearing about it.

How many network engineers knew there was a potential problem of this  
magnitude at the beginning of May? If, knock on wood, someone had  
released this code into the wild then how many networks who have been  
vulnerable despite the availability of a fix?

Considering that Mr. Lynn's presentation was flawless, it is  
interesting to note that Cisco and ISS considered the information to  
be "not quite complete." This is especially interesting since the  
research was done weeks ago according the researcher. Its surprising  
that such a decision as to the incompleteness of the presentation and  
the retraction of Cisco's support for the presentation were withdrawn  
only several days before the talk. It would lead me to believe that  
both companies had less interest in a "process of disclosure and  
communication" and more with burying this information for a year or  
more.

I agree with everyone that making attack tools and exploit  
information available to the public prior to a fix being generated  
with the vendor is a poor method of encouraging good security,  
however that is far from the case in this matter. A fix had been  
generated with the vendor and it was time that the information to  
become public so network operators understood that the remote  
execution empty world we had lived in until now was over.

More links:
http://www.wired.com/news/privacy/0,1848,68328,00.html? 
tw=wn_story_page_prev2
http://securityfocus.com/news/11259

• Previous message (by thread): Cisco IOS Exploit Cover Up
• Next message (by thread): Cisco IOS Exploit Cover Up
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]