Cisco cover up
Scott Altman
staltman at gmail.com
Thu Jul 28 18:34:15 UTC 2005
On Thu, 28 Jul 2005, Mark Owen wrote:
> Cisco had the exploit fixed in April and no longer offers the exploitable OS for download on their site.
To summarize a couple points:
1. Cisco fixes exploit in April
2. IOS Simplification occurs in April, effectively removing all old
versions of code from their website.
3. IOS Simplication is explained (in macro terms) as a way to help
customers navigate available versions; in micro terms, they were
helping their litigation issues around NetFlow Acceleration
So... did IOS simplification also give them a convienent /
coincidental method of patching the vuln. that Lynn used in his
exploit presentation? Or to put in another way: What else got fixed
with IOS Simplification that we don't know about.
One could speculate that the events listed above lead you to a good
stake in the ground as to whether or not your code is vulnerable, if
it's currently downloadable... it must be good! <snicker>
Another observation: Given the audience of Black Hat (well-connected
network types with a penchant for distributing information ahead of
the curve) why is there so little factual information about what was
presented?
- Scott
More information about the NANOG
mailing list