Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Patches 'Black Hat' IOS Flaw

Posted by Zonk on from the spraypainted-white dept.

thursnick writes "eWeek is reporting that Cisco has finally issued a comprehensive fix for a critical IOS vulnerability that set off a firestorm of controversy at the Black Hat Briefings earlier this year. The patches come more than three months after former ISS researcher Michael Lynn quit his job to present the first-ever example of exploit shellcode in Cisco IOS (Internetwork Operating System), a presentation that landed him in legal hot water. Cisco's advisory effectively confirmed Lynn's summer warning that the flaw could be exploited by remote attackers to execute arbitrary commands or cause a denial-of-service on compromised routers."

12 of 66 comments (clear)

  1. Wow, quick turnaround... by Stormeh · · Score: 3, Funny

    Awesome, and it's only been how many months?

  2. Cisco vs. Microsoft by mandreko · · Score: 4, Funny

    looks like Cisco is trying to beat Microsoft for patch times

  3. What ever happened... by Anonymous Coward · · Score: 5, Interesting

    So, what ever happened to Michael Lynn? He quit his job and made the presentation but, where is he today? Is he employed? Is he proud of what he did? Does he feel the price he paid was worth what he gave up for 15 minutes in the spot light? Would he recommend his "high road" choice to others in the future? Does he feel that he really made any difference in the end?

    1. Re:What ever happened... by Ckwop · · Score: 4, Informative

      He's alive and well as far as I know. I saw him at Toorcon this year, but didn't speak to him.. (He was a speaker and gave a good talk on Reverse Engineering)

      I know that he has a new job and I while I obviously can't speak for him, I got the impression that he felt as if he did his duty the security community. As an amateur member of that community, I'd thought that he put principle before pay and deserves our respect.

      Simon.

    2. Re:What ever happened... by Anonymous Coward · · Score: 5, Informative

      Mike is working at Juniper, and doing well (Juniper pays better than ISS, apparently, and their code is cleaner than Cisco's, plus they have some ethics). He feels he did the right thing. So do a lot of folks in the US military and intelligence communities, who are very very pissed off at Cisco for exposing them to a security risk of this magnitude and trying to cover it up. They consider Mike a hero, so he has some very useful new friends...

    3. Re:What ever happened... by Wellspring · · Score: 3, Insightful

      I'm glad. I love it when the right thing (for him) is also the Right Thing (ethically).

      The coverup is almost always worse than the crime in these kinds of things. Companies that aren't up-front and honest (trying to protect their reputation) end up trashing their reps. Cisco just created an anecdote for the next time a customer or regulator wants to take a deep, careful look at their security. We can't just take their word for it, and if I were buying routers right now, I'd be much more inclined to look at Juniper than Cisco, even though previously I wouldn't have even considered them.

      It's not magic pixie dust, but making the effort to bring hard-core ethics onstaff is important to me.

  4. Re:Why not earlier? by scheme · · Score: 5, Informative
    Why on earth did Cisco not release this earlier? It would save people alot of trouble.

    If you read TFA, the bug involved system timers and how they were handled. Given that this probably affects most of the system functions, it's not surprising that it would take a while to make the changes and test it. Think about how long it took to fix the VM bugs in linux 2.4, this probably a change of similar magnitude.

    --
    "When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
  5. The question is....... by 8127972 · · Score: 3, Interesting

    ..... Is this safe enough to deploy or should it be dropped into a test environment of some sort before deploying into a production environment? That assumes of course that admins have the luxury of delaying the deployment of this.

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
    1. Re:The question is....... by anticypher · · Score: 5, Informative

      The answer is.....

      This code has been out for a few months now, and many select beta sites have been testing it in production environments. The first few iterations had some serious (crash and reboot every few hours) problems, but it (12.2.15T1thru17) has been in production use on several edge routers for a month with no noticable problems. Cisco didn't just patch the one 'sploit published, they categorised the class of exploits and went about fixing many different possible attack vectors or watching for suspicious behaviour that could indicate a compromised system. That is what took several months even before Michael's talk, and its been in testing (and re-patching and recursion testing) since then. The announcement today is because they are confident their fix is solid, but anyone staying at the bleeding edge of IOS releases has been using it since at least June.

      I'd say its solid, but I'm not rolling out the latest version on everything until others add some real world stress testing. I'm sure there will be several more newly introduced bugs uncovered in the new few months, and the timer checks usually result in a panic reload, not optimal for stable systems with SLAs and big money riding on them.

      I'm also not in a rush to roll this out, because for the moment there are no known exploits running around. Maybe Effugas or some of the IOS engineers (I know you read /.) can add something to this thread.

      the AC

      --
      Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
  6. Great by Atlantic+Wall · · Score: 3, Funny

    Great, Now how long before everyone implements this and all of the other patches that need to be done on the cisco routers. OK the patch is out, but when will they all be patched, probably another 3-6 mo. So this is a hackers last call sort of, if you have not exploited this yet, time is running out, soon. So get in ur haxoring.

    --
    To Hell with the Queen of England!
  7. Re:Two scary bits" Completely Compromised by gclef · · Score: 3, Informative

    Cisco doing heap checking is a mark of a reasonable system doing checks on itself. Why is this bad? They almost never use the stack, so they check the memory they are using a lot. It doesn't run often (Lynn found it running about once every 30 seconds or so), and it's a good thing to do. Why complain?

    As for reloading firmware, I don't think you understand Cisco stuff. There is a mini-firmware burned into ROM on all the Routers & Switches...it's called ROMMON mode on the ones that immediately come to mind. If your device firmware is totally thrashed (by a worm, by some damn fool tftp'ing up an image for the wrong router type, etc) you'd just use ROMMON mode to re-load a good image. Now, the real problem is that a worm could trash your flash storage.

    In that case, unless you've got one of the expensive boxes with removable flash cards, you've now got a very expensive paperweight.

  8. Re:Am I affected? by estebanf · · Score: 3, Funny

    Give me your ip... i'll tell you :)

    --
    DON'T STEAL MUSIC!