Security researcher causes furor by releasing flaw in Cisco Systems IOS |
 |
By Victor R. Garza, Contributing Writer
28 Jul 2005 | SearchSecurity.com |
|
|
LAS VEGAS – A security researcher caused quite an opening day buzz at the Black Hat Briefings security conference when he released a potential vulnerability in Cisco Systems' routers that could, if exploited to its potential by a malicious attacker, bring down the entire Internet.
Michael Lynn, a former employee with Internet Security Systems, stated that he quit his position with ISS two hours before his discussion and faced litigation from both Cisco Systems and ISS for divulging the information in his presentation.
Lynn stated at the beginning of his presentation "I'm not giving you a roadmap to an exploit, I'm trying
to prove to you that I've done it." He went on to show a quick demonstration of how he could exploit a router to remotely gain access to the "exec" or highest privilege level of the router. Quick demonstration is actually an exaggeration, as the demonstration took approximately five seconds.
He went on to state the difference between exploiting a vulnerability on a single host machine versus a router, "when you gain control of a machine you've got that machine, but when you gain control of the router, you gain control of the network." He added that having control of the router allows an attacker to listen to or make changes to all traffic flowing over the router, including e-mail or traffic from other applications.
Lynn stated that while this flaw was fixed by Cisco in April of this year, a number of routers are still vulnerable.
Because IOS source code was stolen by hackers, Lynn also stated "the right thing to do here is to show everyone that [exploiting the flaw] is possible." It's very important, very important, that we talk now, because you don't steal the source code so you can not hack a router. You only steal it to hack a router."
Cisco Systems, the world's most ubiquitous router and switch manufacturer, apparently didn't want the information released. Sources close to the matter state that Lynn will potentially be sued for intellectual property copyright infringement and that Cisco is also seeking a temporary restraining order for Lynn. Additionally, ISS will be filing a restraining order against Lynn and the Black Hat conference organizers in an attempt to prevent them from discussing the issue. In Lynn's words "the only thing negative about ISS is that I was told in no uncertain terms that I will be sued today"
In a release shortly after the presentation, Cisco stated, "It is important to note that the information Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Lynn's research explores possible ways to expand exploitations of known security vulnerabilities impacting routers." And went on to state "Cisco believes that the information Lynn presented at the Blackhat conference today contained proprietary information and was illegally obtained." The statement also refers to the fact that Lynn stated in his presentation that he used a popular file decompressor to 'unzip' the Cisco image before reverse engineering it and finding the flaw, which is against Cisco's use agreement.
|
| Did Mike Lynn do the right thing? |
| Weigh in with your opinion about responsible disclosure and the legal threats now facing a former ISS researcher and Black Hat conference organizers by using the Sound Off button at the top of this story. |
|
|
|
|
Later in his presentation, Lynn theorized that a worm using just this type of flaw could be written and create a "digital Pearl Harbor" effectively disabling the Internet globally. Mentioning that corporations utilizing other routers may state that they would be unaffected by such a flaw, should it be utilized, were not being reasonable as those same routers would ultimately be connected to Cisco hardware and thereby effected.
At the end of his presentation Lynn stated several times that if users "upgrade their [router] firmware, they'll probably be fine."
Cisco stated that "As per Cisco's best practices guidelines, we recommend customers upgrade their software to the latest available versions."
Lynn ended his presentation by saying, "I figure I have to do what's right for the country and the national critical infrastructure." He subsequently asked the audience if anyone knew where he could find a job.
Victor Garza is a technology/security consultant and lecturer at the Naval Postgraduate School in Monterey, Calif.
|
