Cisco IOS Exploit Cover Up

Scott Morris swm at emanon.com
Thu Jul 28 14:14:42 UTC 2005


Bear in mind though that when the M$ SQL Slammer worm hit everyone, the same
attitude existed.   The patch had been available for months.  People knew
about the vulnerability and it wasn't anything "new".

And yet, look how much havoc was created there.  It's always the "potential"
stuff that scares people more.  While I do think it's obnoxious to try to
censor someone, on the other hand if they have proprietary internal
information somehow that they aren't supposed to have to begin with, I don't
think it is in security's best interested to commit a crime in order to get
tighter security.

Is this the technical version of civil disobedience?

Scott 

-----Original Message-----
From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
James Baldwin
Sent: Thursday, July 28, 2005 9:24 AM
To: Neil J.McRae
Cc: nanog at merit.edu
Subject: Re: Cisco IOS Exploit Cover Up


On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote:


> I couldn't disagree more. Cisco are trying to control the situation as 
> best they can so that they can deploy the needed fixes before the 
> $scriptkiddies start having their fun. Its no different to how any 
> other vendor handles a exploit and I'm surprised to see network 
> operators having such an attitude.
>

That's part of the issue: this wasn't an exploit in the sense of something a
$scriptkiddie could exploit. The sheer technical requirements of the exploit
itself ensure that it will only be reproduced by a small number of people
across the globe. There was no source or proof of concept code released and
duplicating the information would only provide you a method to increase the
severity of other potential exploits. It does not create any new exploits.  
Moreover, the fix for this was already released and you have not been able
to download a vulnerable version of the software for months however there
was no indication from Cisco regarding the severity of the required upgrade.
That is to say, they knew in April that arbitrary code execution was
possible on routers, they had it fixed by May, and we're hearing about it
now and if Cisco had its way we might still not be hearing about it.

How many network engineers knew there was a potential problem of this
magnitude at the beginning of May? If, knock on wood, someone had released
this code into the wild then how many networks who have been vulnerable
despite the availability of a fix?

Considering that Mr. Lynn's presentation was flawless, it is interesting to
note that Cisco and ISS considered the information to be "not quite
complete." This is especially interesting since the research was done weeks
ago according the researcher. Its surprising that such a decision as to the
incompleteness of the presentation and the retraction of Cisco's support for
the presentation were withdrawn only several days before the talk. It would
lead me to believe that both companies had less interest in a "process of
disclosure and communication" and more with burying this information for a
year or more.

I agree with everyone that making attack tools and exploit information
available to the public prior to a fix being generated with the vendor is a
poor method of encouraging good security, however that is far from the case
in this matter. A fix had been generated with the vendor and it was time
that the information to become public so network operators understood that
the remote execution empty world we had lived in until now was over.

More links:
http://www.wired.com/news/privacy/0,1848,68328,00.html? 
tw=wn_story_page_prev2
http://securityfocus.com/news/11259







More information about the NANOG mailing list