Cisco IOS Exploit Cover Up
James Baldwin
jbaldwin at antinode.net
Thu Jul 28 13:24:22 UTC 2005
On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote:
> I couldn't disagree more. Cisco are trying to control the
> situation as best they can so that they can deploy the needed
> fixes before the $scriptkiddies start having their fun. Its
> no different to how any other vendor handles a exploit and
> I'm surprised to see network operators having such an attitude.
>
That's part of the issue: this wasn't an exploit in the sense of
something a $scriptkiddie could exploit. The sheer technical
requirements of the exploit itself ensure that it will only be
reproduced by a small number of people across the globe. There was no
source or proof of concept code released and duplicating the
information would only provide you a method to increase the severity
of other potential exploits. It does not create any new exploits.
Moreover, the fix for this was already released and you have not been
able to download a vulnerable version of the software for months
however there was no indication from Cisco regarding the severity of
the required upgrade. That is to say, they knew in April that
arbitrary code execution was possible on routers, they had it fixed
by May, and we're hearing about it now and if Cisco had its way we
might still not be hearing about it.
How many network engineers knew there was a potential problem of this
magnitude at the beginning of May? If, knock on wood, someone had
released this code into the wild then how many networks who have been
vulnerable despite the availability of a fix?
Considering that Mr. Lynn's presentation was flawless, it is
interesting to note that Cisco and ISS considered the information to
be "not quite complete." This is especially interesting since the
research was done weeks ago according the researcher. Its surprising
that such a decision as to the incompleteness of the presentation and
the retraction of Cisco's support for the presentation were withdrawn
only several days before the talk. It would lead me to believe that
both companies had less interest in a "process of disclosure and
communication" and more with burying this information for a year or
more.
I agree with everyone that making attack tools and exploit
information available to the public prior to a fix being generated
with the vendor is a poor method of encouraging good security,
however that is far from the case in this matter. A fix had been
generated with the vendor and it was time that the information to
become public so network operators understood that the remote
execution empty world we had lived in until now was over.
More links:
http://www.wired.com/news/privacy/0,1848,68328,00.html?
tw=wn_story_page_prev2
http://securityfocus.com/news/11259
More information about the NANOG
mailing list