Cisco IOS Exploit Cover Up

Thu Jul 28 16:30:01 UTC 2005

On Thu, 28 Jul 2005, Leo Bicknell wrote:

> In a message written on Thu, Jul 28, 2005 at 08:29:22AM +0100, Neil J. McRae wrote:
> > I couldn't disagree more. Cisco are trying to control the
> > situation as best they can so that they can deploy the needed
> > fixes before the $scriptkiddies start having their fun. Its
> > no different to how any other vendor handles a exploit and
> > I'm surprised to see network operators having such an attitude.
>
> This is not a Cisco specific comment, but it is a network operator
> comment.
>  --snip---
> but to make that kind of show in public?  What is the motovation?
> If this bug is, as Cisco puts it, "not serious" then they just spent
> a lot of money on people to go do all of that for nothing.  Doesn't
> seem likely.  So what everyone's spidy sense is now telling them
> is Cisco wouldn't spend thousands of dollars on legal injunctions
> and armys of razor blade toters for nothing, so there must be
> something to this paper.  Which makes their denial all the more
> hollow.
>

There is the possiblity that cisco, in this case, knows that they have a
significant base of folks that 'never upgrade' devices. I know of several
thousand 2500's with 11.x code on them, which will NEVER be upgraded...
So, the potential for Neil's network or Leo's or Martin's to be vulnerable
to something patched in 12.0.x.y.z code train 9 months ago isn't there.
That's a good thing for them, it doesn't address the thousands, or
hundreds of thousands of devices which never get upgraded and still
connect to Neil/Martin/Leo's networks as CPE or cpe to cpe... These
devices could still cause some pain to the networks in question.

(all this without seeing the talk of course... perhaps he said: push
button yellow and router go boom. I don't know.)