Slashdot Mirror
Researcher Resigns Over New Cisco Router Flaw
An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN.
Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."
It's ok, really it is. Karl Rove gave him the information.
FLR
As dependent on as our economy is upon routers, and Cisco in particular, it seems that his disclosure was definitely in the public interest, and if he isn't entitled to whistleblower protection, we need to mount a campaign to get him protected. Write your Congressoid.
"The mind works quicker than you think!"
but couldn't he at least have waited a few weeks to see how Cisco responds
Cisco seems to suffer from the same stupidity that most other large corporations do. They'll take a report, and sit on it for weeks, and sometimes months. Full Disclosure is usually the only way to get them to actually fix the issues in a timely manner.
In TFA, Cisco themselves said that he did not disclose any new vulnerabilies... so... what is the BFD?
Later, Cisco said it was all bent out of shape because they follow an "industry established disclosure process" and because Mr. Lynn "illegally" obtained the information...
Hey, Cisco, I have news for you. "Industry established disclosure process" != "Law"
Get over yourselves, admit that you're a bunch of fuckups that can't make secure networking equipment, and move along..
Companies like Cisco, Microsoft, etc. are generally made to look really bad when security flaws are exposed in their products.
The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.
Then they get to look super-secure, since they were "too quick" for the bad hackers.
Some people, however, think that the only thing that'll get companies to take security more seriously is if they are actually made to look really bad, and maybe some of their products actually get hacked.
Unfortunately, when you're dealing with some giant businesses cost/benefit analysis, the only thing that can get them to take notice is a little carnage.
Is it worth it? I dunno, but it's certainly arguable.
The thing is (from what the articles say) it's not about one particular flaw. It's that ANY overflow flaw can be exploited to take control of Cisco IOS, which is bad news. Add Cisco's plan to abstract the hardware from IOS and then you've got a major problem. Basicly, it's about time Cisco implimented some form of DEP protection offered by current Intel and AMD processors + software, to prevent this from being an issue. Or check their bloody code of course.
Yes, he could. But then again, I suspect he already did. The traditional approach was to tell the vendor, and announce the flaw publicly 28 days later. That gave a vendor sufficient time to code and test a patch. However, many vendors (and Cisco seem to be particularly bad about this) sit on problems like this for several months and take no immediate action. I'd be far from surprised to hear Cisco were notified of this 3 months ago, hence Lynn's frustration and his decision to publicly talk about the flaw. I don't actually know what happened, and the above is just speculation. I suspect there's more than a grain of truth to it, though.
"The invisible and the non-existent look very much alike." -- Delos B. McKown
I must have missed the "master password" thing.
As far as Cisco going down hill I don't really agree with that. Currently Cisco is expanding their product offerings into new unexplored territories such as IP Telephony. I have installed and supported several of these systems. As long as you follow thier design, install, and support guidelines they are as robust and as problem free as any other platform that i've worked with.
I think most people on Slashdot understand the complexities of the internet world. A minor change here can have a huge, uexpected, impact across the network or application. However, if time tested procedures for upgrades and testing are followed nothing has really changed. I think what may be giving a Cisco a bad name is all of the under qualified people out there installing their systems. The MS world of patch it, reboot, and go about your business does not fly when you critical systems are involved.
I must have missed the "master password" thing.
That was from a while back. They had set up a master "backdoor" password in a version of IOS and ended up getting ridiculed for it quite heavily.
He told them in April, according to BoingBoing, and they still hadn't fixed the problem totally.
The articles cited are light on details. But nowhere do the articles suggest that Cisco was burying the flaw. In fact, the opposite is indicated. ISS and Cisco are apparently working on a fix. In my mind whistle blower protection is valid if the whistle blower is uncovering corruption. Which does not appear to be the case here. Based on the information presented, the system was working on the problem, he just wasn't happy with it.
How do you apt-get hardware?
The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.
That said you have firmware that controls the hardware which could be "apt-get" though in reality I'd rather see an open source firmware that was also provided as binary images you could just upload.
Do you really want some MCSE throw-back building a firmware image when they can hardly manage cmd.exe?
hehehee sick.
Tom
Someday, I'll have a real sig.
How long should it take?
0 7/update_to_cisco.html
http://blogs.washingtonpost.com/securityfix/2005/
The injunctions filed against him state that ISS and Cisco had been working together on the flaw for the past four months, and that up until earlier this week, a Cisco executive was slated to co-present the findings with Lynn at Black Hat.
I can't help but wonder, if this in the end really about gaining some publicity and in the end making more money.
Cisco is actually very upfront and cooperative when you report things which might be a vulnerability (I have personally dealt with PSIRT). The people who work there are actually so polite, it's kind of annoying (I have been thanked about 2 dozen times for reporting a very minor finding).
They do however expect you to play by the rules. Even if you are the person who found a bug, you are expected to let Engineers fix the bug before you release the information.
Also, there is policy in place, which makes sure major ISPs (Carriers) are informed first, so they can do upgrades before the PSIRT release is made public.
All that makes sense, since we are really talking about essential infrastructure.
Of course, all that kind of takes away the coolness of reporting a vulnerability and you will get a lot less publicity (cisco credits you) than what you would get, if you just post to some mailing list.
If he really released information he researched at ISS without consent, well, he should face consequences. Because I obviously was to gain from it (getting a new job, making a name or himself). Hopefully he wasn't just doing it for the publicity.
"Mommy, mommy! The garbage man is here!" "Well, tell him we don't want any!" -- Groucho Marx
Okay, this sounds pretty simple. Michael Lynn finds a (new) explit of Cisco routers and its a doosey. He informs ISS, who informs Cisco. Cisco management can't believe that such a serious flaw exists, since they've know about the possibility, but its been written off as minor in the past. Lynn presses his case to his supers, and they get down and dirty with Cicso. Cisco craps its pants because the flaw is everywhere, and it's going to cost real money to fix, and could hurt company Q results.
Cisco agrees with ISS taht they're going to do something about it, but it's going to take a bunch of resesarch and time. They'll keep it quiet for a few years while they put th fix in the pipline for new models. They'll work on a firmware fix, but its back burner as long as the explot isn't public. If ISS keeps its mouth shut, they can still do work for Cisco.
Lynn hears that his research is to be hush-hush, and that Cisco will work on it, but it could be a while before there's an actual patch. No arguing that the flaw is critical will make ISS management, with a financial gun to its head, budge.
Lynn flips ISS the bird, 'cause he thinks its a major security issue, and presents his research anyway. Cisco and ISS claim they're working ont it, and that its and old flaw, and nothing really serious. And they're quietly looking for a man to fir Lynn with concrete shoes for blowing their cover.
Seems pretty clear to me.
Is it just my observation, or are there way too many stupid people in the world?
Contradiction?
... and I can never find out why pople can get sued for disclosure of something dangerous to a lot of costumers.
Quote: "It is important to note that the information Mr. Lynn presented was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. Mr. Lynn's research explores possible ways to expand exploitations of existing security vulnerabilities impacting routers."
Quote: "... Mr. Lynn a platform to publicly disseminate the information he illegally obtained."
If his research regards known and exsisting vulnerabilities how could they be illegal obtained? This can only happen if Cisco sits on the vulnerabilities for some time. If this is the case its a poor excuse by Cisco to state that its not a new vulnerability.
In my humble opinion its new when first made public.
If I use their routers I would like to know if they can be hacked. If they can get hacked I would like the oppotunity to take them offline if I need to protect my business.
If I don't have that oppotunity - and I loose data/values/etc due to an attack, I'll have to keep Cisco responsible.
-:) Oh no - not again.
www.rednebula.com
The way they prefer it to go is that someone contacts them secretly, tells them the hole, and they can have it fixed all up by the time the vulnerability is published.
... And this happens in the Open Source world too. Mozilla, for instance, has "classified" bugs, which are not opened up to the public until a fix (or whatever) is available. Take for instance, the Windows chrome:// bug from a few months to a year ago. They sat on it for over a year (and it was classified, of course), and didn't do anything until an exploit appeared in the wild. The fix was issued right away. "Too quick" for the hackers, indeed.
Then they get to look super-secure, since they were "too quick" for the bad hackers.
What I'm getting at is don't say that this sort of behavior is limited solely to closed source software. No one wants to have the pressure of handling a security fix WHILE an exploit is out in the wild. Would you rather have the opportunity to fix a security flaw while no one else (but the person who discovered it) knew about it, or would you prefer the person who discovered it announce it to the world and release an exploit first?
-Mark
That was true a few years ago, but its rarely the case these days. Once you contact the correct people at the vendor they generally move fairly quickly to resolve the issue. Independant researchers can contact CERT and they'll handle all of this legwork for you and make sure you get the credit. Of course the patching process still takes time for development, porting across platforms, and regression testing. So you do have to cut the vendors some slack.
In the case of ISS there's almost no excuse for not getting some serious cooperation from the vendor. ISS has the weight and all the contacts they need to notify the vendors and get a fairly quick response. This was either an extreme circumstance, or Michael had another job lined up and he wanted to exit with a big splash. For that matter, he may have just made enough noise about his Blackhat presentation that he didn't want to have to pull it back.
On an entertaining side note, Blackhat actually reburned all the CD's and cut his section out of the convention notes. Cisco must have come down pretty heavy for them to pull such a strong CYA move.
"It is our belief that the information that Lynn presented at Black Hat this morning is information that was illegally obtained and violated our intellectual-property rights,"
Lynn decompiled Cisco's software for his research and by doing so violated the company's rights, Noh said. [emphasis added]
So basically, Cisco is claiming that decompiling their object code is illegal.
Isn't it a greater violation of the customer's rights to prohibit them from decompiling the code on their own equipment to check for security vulnerabilities?
We've come to the point where corporations believe they have the right to impose conditions of operation on equipment they no longer own. If Cisco sells someone a router, the customer now owns it. Cisco doesn't have any right to impose any conditions of use on the new owner, because they no longer legally own the product. The owner has the right (and some would claim even the responsibility) to decompile their router's code to check for potential vulnerabilities.
It seems that Cisco believes that even after they've sold it to you, they still own your router. And who knows, maybe this vulnerability was deliberately placed so they could own your router anytime they pleased...
The society for a thought-free internet welcomes you.
I'd probably rather the bank/hospital had a few weeks to establish a plan, rather than have to bang something out in an emergency, and whilst the records have already been made much more vulnerable.
Your preference suffers from the flawed (although typically wide-spread) assumtion that only one person is smart enough to discover the flaw.
If a white hat can discover it, then a black hat can too - and black hats are constantly looking. Vulnerabilities need to be *FIXED*, not discussed for weeks in private meetings.
This is not a problem of disclosing a major vulnerabilty before the vulnerable company could react.
The flaw had been privately disclosed a few months ago. Cisco, for its own reasons, didn't intend to distribute a fix before long (next year!). Too major a flaw? Publicity? Too much work already? Internal politics?
Obviously, Michael Lynn couldn't live with the idea of leaving this flaw open, and decided to disclose it publicly, thus forcing Cisco to aknowledge it and fix it. Also obviously, this wasn't the only reason. He seemed disgusted by the industry's approach to this kind of problem.
Misleading titles? Inflammatory blurbs? Keep in mind that Slashdot is a tabloid.
I'm always amazed that companies think they have, or do have the right to sue someone for pointing out a flaw in their product. "Only in the software industry". If Chevy sells a new pickup that has seatbelts that don't work properly in a crash, and I find out, damn straight i'm telling the whole world. And if chevy tried to sue me for it they'd get laughed out of court. There should be absolutely no legal grounds for a company to sue someone over pointing out the flaws in their product. It's their own damn fault for not making a secure product in the first place.
you had me at #!
I am Michael Lynn...I'd like to clarify things
Cisco was notified of the vulnerability in question many months ago and the issue has been patched for about 3 months now.
Furthermore I did not disclose the details of this vulnerability at all. The presentation was merely a demonstration that IOS was exploitable just like any other OS.
Not sure if you really are Mike, but your facts are 100% correct. It wasn't a new vulnerability, just a new way to exploit a known vulnerability which has already been patched. Also, if I read correctly, you need to be directly connected to the router to execute the vulnerability; it's a not a remote attack.
--- RFC 1149 Compliant.
Two words "Professional obligation".
There used to be two general ways to handle security flaws when you discovered them. Either you could privately exploit the hell out of them. Or you could just privately report them to the company involved and wait patiently for them to release a fix.
However there is a big problem with this particular model. The problem is that companies like Cisco, Microsoft, etc. don't really seem to think that exploits that allow people to remotely execute administrator level code are really that big of deal, and they figure that they can just create a patch when "we get around to it" or "next year".
Meanwhile, do you really think that you are the only person in the entire world who is guaranteed to find the exploit? The black hats of the world have probably already found the exploit anyway in many cases. It's just the customers who are suffering because a patch is not available.
This model of waiting around forever was a dismal failure. So, security professionals found that by publicly releasing their findings, they could force companies to take security more seriously. The responsible way to do this is to first inform the company privately of your finding, and give them a reasonable chance to fix it.
What you think is reasonable is up to you, *not* them. They are playing by your rules. You are not playing by theirs. Remember, that you are being nice to them by not just publicly releasing the exploit the day that you found it. So, they should respect that. If they do not, that is their problem. Still, as a professional, you should rise above them and try to give them a reasonable time to fix the problem.
Now in this case, what he did was he informed them 4 months ago of the vulnerability along with a proof of concept. They decided not to fix the problem. They claimed there was no problem. He waited patiently for *4 months*. They said that this wasn't really a vulnerability. Then, they knew well in advance of his presentation at Black Hat, and yet they still chose not to fix the problem.
So, what is he supposed to do? As a security professional, it is his ethical obligation to publicly disclose his findings at that point.
In conclusion, Cisco should spend more money on engineers instead of lawyers.
Randy.Flood@RHCE2B.COM
As you've already been told, Lynn did NOT work for Cisco, nor does ISS work "for / with" them. The mutual effort was a result of Lynn finding the flaw in the first place, and notifying them about it.
Four months ago.
However, the more damningly flawed portion of your argument is that 'now Cisco doesn't have time to fix the problem'. <snort>
Could you please provide proof that this flaw hasn't been actively exploited since even before the time at which Lynn found it?
It is, needless to say, impossible to prove a negative.
If you're not living on the edge, you're just taking up space!