Cisco IOS Exploit Cover Up
Stephen Sprunk
stephen at sprunk.org
Thu Jul 28 18:49:46 UTC 2005
Thus spake "James Baldwin" <jbaldwin at antinode.net>
> Moreover, the fix for this was already released and you have not been
> able to download a vulnerable version of the software for months however
> there was no indication from Cisco regarding the severity of the required
> upgrade. That is to say, they knew in April that arbitrary code execution
> was possible on routers, they had it fixed by May, and we're hearing
> about it now and if Cisco had its way we might still not be hearing about
> it.
Cisco's policy, as best I can tell, is that they patch security holes
immediately but delay notification until either (a) six months pass, or (b)
an exploit is seen in the wild. The former is intended to give customers
ample time to upgrade to patched versions (often without their knowledge)
without tipping their hand to the "bad guys". However, a CERT advisory is
prepared and ready for immediate distribution if the latter occurs.
> How many network engineers knew there was a potential problem of
> this magnitude at the beginning of May? If, knock on wood, someone
> had released this code into the wild then how many networks who
> have been vulnerable despite the availability of a fix?
There are network engineers that knew, but they couldn't admit it due to
NDAs. This is one of the benefits of buying "high touch" support
contracts -- and Cisco is not alone in that model.
S
Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov
More information about the NANOG
mailing list