Ziff Davis Internet
News & Resources for the IT Reseller
NewsReviewsTech AnalysisCommentarySecurityLinux/Unix
My Account |  

Cisco Tries to Quash Vulnerability Talk at Black Hat
By Paul F. Roberts

Updated: A researcher followed through with a presentation on a security hole in Cisco’s IOS even after the network equipment company theatened to shut down the conference if the information wasn’t suppressed.

A discussion of vulnerability in Cisco Systems Inc.’s IOS provoked controversy at this year’s Black Hat Briefings conference in Las Vegas, after the San Jose, Calif., networking vendor forced conference organizers to physically remove notes on the strategy for remotely exploiting IOS systems from conference proceedings.

The researcher, Michael Lynn, ultimately presented information on the hole, but only after resigning his position at the vulnerability research company ISS (Internet Security Systems).


The security flaw affects all versions of the Internetwork Operating System, which runs on Cisco gear that forms the backbone of the Internet, and could be used to launch a “digital Pearl Harbor,” Lynn said, using a phrase coined by former White House cyber-security chief Richard Clarke to describe an unexpected attack that cripples the global Internet.

A Cisco spokesperson acknowledged that the company had removed content pertaining to the IOS problem, saying that it was obtained illegally, and that the company was protecting its intellectual property.

Cisco and ISS also jointly filed a request for an injunction and a cease-and-desist order in U.S. District Court for the Northern District of California.

Neel Mehta, a researcher with ISS’s X-Force, said Lynn had agreed to scale down the presentation on IOS after ISS and Cisco decided to give the San Jose networking equipment maker more time to work on the issues raised.

But Lynn changed his mind at the last minute, prompting his resignation. “Mike had a lot invested in this presentation,” Mehta said.

Lynn discovered the IOS flaws while doing vulnerability research on IOS for ISS.

ISS reported the flaw to Cisco, which has since released upgrades for IOS that fix the problem, and halted downloads of older IOS versions that contain it, Lynn said.

According to Lynn, flaws in IOS could allow attackers to use “heap overflows” to crash Cisco routers running IOS by sending chunks of data to Cisco devices running IOS that overwrite memory.

In order to get the overflows to work, Lynn manipulated IOS to disable a process called “check heap,” which is designed to detect such irregularities, and used an older exploit, known as an “uncontrolled pointer exchange,” to trick vulnerable Cisco devices into running attack code.

The technique developed by Lynn would give remote attackers access to the IOS “shell,” from which the attacker could control the device.

With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

PointerClick here to read more from columnist Larry Loeb about Cisco’s VOIP timeout issues.

Interest in Lynn’s talk was high, after word of the late-night quashing of the talk circulated around the conference.

In a bit of drama that has become a hallmark of Black Hat, attendees to Lynn’s talk were initially told that the IOS exploit would not be discussed because of “circumstances beyond our control,” and that Lynn would discuss a security hole in the VOIP (voice over IP) protocol instead.

But in a dramatic turn of events, Lynn reversed course, informed audience members that he had quit ISS and would discuss the hole, even though he had been told that doing so would result in him being sued by his former employer and by ISS.

Lynn said he felt compelled to discuss the hole because hackers had “already stolen the IOS source code” and “you don’t steal the IOS source code to not hack routers,” he said.

He declined to elaborate on the charge that hackers had made off with the source code, which would make it easy for them to find IOS security flaws.

While code to exploit the IOS vulnerability would be difficult to distribute as an Internet worm, such an attack isn’t impossible, he said.

Cisco is not aware of a theft of its IOS code beyond an unauthorized leak of portions of the IOS source code in May 2004, a company spokesperson said.

Companies that are running up-to-date versions of Cisco IOS software, or “firmware,” are probably not vulnerable to the attack, he said.

ISS had been planning to discuss the hole at Black Hat, but was contacted by Cisco last week when the companies agreed to cancel or scale back the talk, giving Cisco more time to make IOS “immune” to attack, Mehta said.

After learning of Lynn’s plans to present information on the IOS exploit at the Black Hat conference on Wednesday, however, Cisco and ISS demanded that Black Hat organizers cancel the talk and sent representatives to remove any information pertaining to the problem from conference materials.

As of Wednesday morning, 20 pages concerning the hole were cut out of conference briefings, and CDs containing show presentations were not being distributed with show materials.

Cisco and ISS had decided in early July that the presentation should not be given at Black Hat, but learned last week that an early draft of the presentation had made it into the conference proceedings anyway, a Cisco spokesperson said.

A Black Hat spokesperson said the company was not available to comment because executives were still consulting with lawyers about the incident.

eWEEK.com special report: The Business of Security

Mehta also declined to comment on what actions his company might take against Lynn or Black Hat organizers.

However, a Cisco spokesperson acknowledged that ISS and Cisco had filed a temporary restraining order and injunction against Lynn and Black Hat in the U.S. District Court for the Northern District of California in San Jose to prevent them from disseminating information about the IOS security holes.

Many attendees applauded Lynn’s actions, but took issue with the alleged efforts by Cisco and ISS to quash discussion of the hole.

Ali-Reza Anghaie, a senior systems engineer for an aerospace company who attended the show, expressed outrage at ISS, which he accused of caving to pressure from Cisco.

The company, which sells vulnerability scanning technology, has an obligation to reveal details of security holes to customers.

“As a customer, [ISS] can’t put me in the position where they’re providing protection for security holes, but not telling me what the holes are,” he said.

Mehta expressed disappointment about the way in which the IOS talk was handled, but said that the IOS exploit was not technically a vulnerability, but an “architecture issue,” on which ISS wouldn’t necessarily brief customers.

Editor’s Note: This story was updated to clarify the details of Lynn’s presentation and to include statements from a Cisco spokesperson and Neel Mehta, a researcher with ISS’s X-Force.

PointerCheck out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.



Free Hands-On Training Lab
Find out how key features of SBS 2003 can help you open up a new line of revenue. Register now >>

SBS 2003 Sales Reference Card
This handy reference card contains features at a glance, sales objection handling, pricing guidelines & more. Get it now >>

Microsoft Empower for ISVs rewards your big idea with big benefits and support.
Access key development tools at a low cost to help you develop that idea into an innovative application. Learn more >>

Autotask makes your IT business run. Better!
  • Manage your entire business from a single integrated system accessed over the web
  • Track and control service tickets, and efficiently dispatch field service techs
  • Monitor and analyze project profitability by project, customer and type
  • Bill by fixed price, time & materials, block hours or retainers
  • Set up workflow rules and automated notifications
  • Nothing to install. Easy to use. Affordable.
Click here ONLY if you want a personalized demo via the web
(North America only, please)

Attention Microsoft Solution Providers!

Want to gain a competitive edge? Try Microsoft Watch – FREE!

Each week you receive:
  • Microsoft News and Insider Information
  • Expert Analysis
  • Code Names of Upcoming MS Products
  • Year-Ahead Calendar, updated monthly

    Click Here to sign up now for your FREE 14 Day Trial to Microsoft Watch.
  • Add up to $1,200 of value with the new BONUS PACKS.
  • High Performance Storage That Blows Away Competitors.
  • Adaptec Adaptec SATA II RAID Outperforms LSI, Promise, 3Ware
  • Create, manage, and archive all content with EMC
  • Go Pro.Introducing Intel® vPro™ technology.
  • Free on-line courses at Data Center University
  • The Power to Build Great Devices – Windows Embedded
  • Windows gets top EAL 4+ security rating from SAIC.
  • Get the Facts on Linux and Windows Server.
  • Get a FREE Forrester white paper courtesy of Oracle.
  • Free Whitepaper: The future of Identity Management.

    •Catalog Publishing
    •Dealer Management
    •Order Configuration
    •Price Management
    •Sales Management

    View All >

    Search the jobs you want & get the info you need – post your resume here today!

    Powered by Dice
    White Boxes
    MS vs. IBM
    Linux in the Channel
    Stay in the Zone
    Put The Channel Insider on your desktop.
    Subscribe to The Channel Insider: Channel News, Reviews, Resources and more.

    Make your selections below:

    Contract Watch

    The Channel Insider Update

    Preferred e-mail format:

    Enter your e-mail:

    view all newsletters >>
    Channel Insider Quick Links
    Ziff Davis Footer Logo