Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Resigns Over New Cisco Router Flaw

Posted by samzenpus on from the don't-go-down-with-the-ship dept.

An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN. Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."

10 of 423 comments (clear)

  1. Hmmm, perhaps he needs whistleblower protection? by meburke · · Score: 4, Interesting

    As dependent on as our economy is upon routers, and Cisco in particular, it seems that his disclosure was definitely in the public interest, and if he isn't entitled to whistleblower protection, we need to mount a campaign to get him protected. Write your Congressoid.

    --
    "The mind works quicker than you think!"
  2. Re:new flaws by megla · · Score: 5, Interesting

    The thing is (from what the articles say) it's not about one particular flaw. It's that ANY overflow flaw can be exploited to take control of Cisco IOS, which is bad news. Add Cisco's plan to abstract the hardware from IOS and then you've got a major problem. Basicly, it's about time Cisco implimented some form of DEP protection offered by current Intel and AMD processors + software, to prevent this from being an issue. Or check their bloody code of course.

  3. Why? by MyNameIsFred · · Score: 4, Interesting

    The articles cited are light on details. But nowhere do the articles suggest that Cisco was burying the flaw. In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix. In my mind whistle blower protection is valid if the whistle blower is uncovering corruption. Which does not appear to be the case here. Based on the information presented, the system was working on the problem, he just wasn't happy with it.

  4. Re:I wonder... by Cereal+Box · · Score: 4, Interesting

    The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.

    Then they get to look super-secure, since they were "too quick" for the bad hackers.

    ... And this happens in the Open Source world too. Mozilla, for instance, has "classified" bugs, which are not opened up to the public until a fix (or whatever) is available. Take for instance, the Windows chrome:// bug from a few months to a year ago. They sat on it for over a year (and it was classified, of course), and didn't do anything until an exploit appeared in the wild. The fix was issued right away. "Too quick" for the hackers, indeed.

    What I'm getting at is don't say that this sort of behavior is limited solely to closed source software. No one wants to have the pressure of handling a security fix WHILE an exploit is out in the wild. Would you rather have the opportunity to fix a security flaw while no one else (but the person who discovered it) knew about it, or would you prefer the person who discovered it announce it to the world and release an exploit first?

  5. Lawsuit? Lynn says "bring it on" by kriegsman · · Score: 4, Interesting
    From today's Wall Street Journal:
    When Mr. Lynn took the stage yesterday, he was introduced as speaking on a different topic, eliciting boos. But those turned to cheers when he asked, "Who wants to hear about Cisco?" As he got started, Mr. Lynn said, "What I just did means I'm about to get sued by Cisco and ISS. Not to put too fine a point on it, but bring it on."
    Somehow, I suspect he's going to get what he asked for.

    -Mark
  6. Re:I wonder... by n0-0p · · Score: 4, Interesting

    That was true a few years ago, but its rarely the case these days. Once you contact the correct people at the vendor they generally move fairly quickly to resolve the issue. Independant researchers can contact CERT and they'll handle all of this legwork for you and make sure you get the credit. Of course the patching process still takes time for development, porting across platforms, and regression testing. So you do have to cut the vendors some slack.

    In the case of ISS there's almost no excuse for not getting some serious cooperation from the vendor. ISS has the weight and all the contacts they need to notify the vendors and get a fairly quick response. This was either an extreme circumstance, or Michael had another job lined up and he wanted to exit with a big splash. For that matter, he may have just made enough noise about his Blackhat presentation that he didn't want to have to pull it back.

    On an entertaining side note, Blackhat actually reburned all the CD's and cut his section out of the convention notes. Cisco must have come down pretty heavy for them to pull such a strong CYA move.

  7. Dangerous Precedent... by gillbates · · Score: 4, Interesting

    "It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights,"

    Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said. [emphasis added]

    So basically, Cisco is claiming that decompiling their object code is illegal.

    Isn't it a greater violation of the customer's rights to prohibit them from decompiling the code on their own equipment to check for security vulnerabilities?

    We've come to the point where corporations believe they have the right to impose conditions of operation on equipment they no longer own. If Cisco sells someone a router, the customer now owns it. Cisco doesn't have any right to impose any conditions of use on the new owner, because they no longer legally own the product. The owner has the right (and some would claim even the responsibility) to decompile their router's code to check for potential vulnerabilities.

    It seems that Cisco believes that even after they've sold it to you, they still own your router. And who knows, maybe this vulnerability was deliberately placed so they could own your router anytime they pleased...

    --
    The society for a thought-free internet welcomes you.
  8. "Cisco credits you"-when they're not attacking you by toby · · Score: 5, Interesting
    See the unfortunate case of Fernando Gont, and his attempts to responsibly disclose ICMP implementation flaws (not even a Cisco-specific problem):
    Once Fernando understood the vulnerabilities he'd found in the ICMP protocol, he began to try and safely report the problem ... To begin, he wrote an internet draft which he submitted to the IETF in August of 2004. At that time he contacted CERT/CC and NISCC, and privately notified several open source projects ... as well as larger vendors such as Microsoft, Cisco, and Sun Microsystems. ...

    Around this same time, Fernando began receiving emails from Cisco who had numerous technical questions about his solutions to the problems. He continued to reply thoroughly to all their questions, until two months later when he received an email from Cisco's lawyer claiming that Cisco held a patent on his work. He asked their lawyer for specifics, but they refused to reveal any details. For two more months this continued, until Fernando was cc'd on an email thread between Cisco, Linus Torvalds, and David Miller. Reading back through the thread, Fernando found where David Miller had asked Cisco how they could possibly patent sequence tracking as Linux had been doing it for many years, and later in the same thread Cisco noted that they had withdrawn their patent. ...

    While the patent issue was happening with Cisco, CERT/CC created a mailing list to allow vendors to communicate amongst themselves about the newly discovered vulnerability. "They blamed me for submitting my work," Fernando said in exasperation. "One of Cisco's managers of PSIRT said I was cooperating with terrorists, because a terrorist could have gotten the information in the paper I wrote!" Fernando was familiar with intellectual property arguments with last year's Slipping In The Window paper, so he had intentionally publicly published his findings to prevent it from being patented. "Then they accused me of working with terrorists, and even still tried to patent my work!" He noted that he now suspected had he actually worked exclusively with Cisco as they had requested, they probably would have managed to patent all of his ideas. ...

    Fernando also found Microsoft difficult to work with. "Microsoft's acknowledgment policy says that you must report the issues to them 'confidentially'", he explained. As he chose to contact CERT and various open source projects as well, he claimed that they refused to give him credit for the discovery. Only with much effort did he finally get them to acknowledge that he had discovered the issue.

    --
    you had me at #!
  9. Re:I wonder... by abaddon314159 · · Score: 5, Interesting

    I am Michael Lynn...I'd like to clarify things

    Cisco was notified of the vulnerability in question many months ago and the issue has been patched for about 3 months now.

    Furthermore I did not disclose the details of this vulnerability at all. The presentation was merely a demonstration that IOS was exploitable just like any other OS.

  10. Professional Obligation by randyflood · · Score: 4, Interesting

    Two words "Professional obligation".

    There used to be two general ways to handle security flaws when you discovered them. Either you could privately exploit the hell out of them. Or you could just privately report them to the company involved and wait patiently for them to release a fix.

    However there is a big problem with this particular model. The problem is that companies like Cisco, Microsoft, etc. don't really seem to think that exploits that allow people to remotely execute administrator level code are really that big of deal, and they figure that they can just create a patch when "we get around to it" or "next year".

    Meanwhile, do you really think that you are the only person in the entire world who is guaranteed to find the exploit? The black hats of the world have probably already found the exploit anyway in many cases. It's just the customers who are suffering because a patch is not available.

    This model of waiting around forever was a dismal failure. So, security professionals found that by publicly releasing their findings, they could force companies to take security more seriously. The responsible way to do this is to first inform the company privately of your finding, and give them a reasonable chance to fix it.

    What you think is reasonable is up to you, *not* them. They are playing by your rules. You are not playing by theirs. Remember, that you are being nice to them by not just publicly releasing the exploit the day that you found it. So, they should respect that. If they do not, that is their problem. Still, as a professional, you should rise above them and try to give them a reasonable time to fix the problem.

    Now in this case, what he did was he informed them 4 months ago of the vulnerability along with a proof of concept. They decided not to fix the problem. They claimed there was no problem. He waited patiently for *4 months*. They said that this wasn't really a vulnerability. Then, they knew well in advance of his presentation at Black Hat, and yet they still chose not to fix the problem.

    So, what is he supposed to do? As a security professional, it is his ethical obligation to publicly disclose his findings at that point.

    In conclusion, Cisco should spend more money on engineers instead of lawyers.

    --
    Randy.Flood@RHCE2B.COM