Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Cisco Tries to Quash Vulnerability Talk at Black Hat



 By: Paul F. Roberts
2005-07-27
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: A researcher followed through with a presentation on a security hole in Cisco's IOS even after the network equipment company theatened to shut down the conference if the information wasn't suppressed.

A discussion of vulnerability in Cisco Systems Inc.s IOS provoked controversy at this years Black Hat Briefings conference in Las Vegas, after the San Jose, Calif., networking vendor forced conference organizers to physically remove notes on the strategy for remotely exploiting IOS systems from conference proceedings.

The researcher, Michael Lynn, ultimately presented information on the hole, but only after resigning his position at the vulnerability research company ISS (Internet Security Systems).

The security flaw affects all versions of the Internetwork Operating System, which runs on Cisco gear that forms the backbone of the Internet, and could be used to launch a "digital Pearl Harbor," Lynn said, using a phrase coined by former White House cyber-security chief Richard Clarke to describe an unexpected attack that cripples the global Internet.

A Cisco spokesperson acknowledged that the company had removed content pertaining to the IOS problem, saying that it was obtained illegally, and that the company was protecting its intellectual property.

Cisco and ISS also jointly filed a request for an injunction and a cease-and-desist order in U.S. District Court for the Northern District of California.

Neel Mehta, a researcher with ISSs X-Force, said Lynn had agreed to scale down the presentation on IOS after ISS and Cisco decided to give the San Jose networking equipment maker more time to work on the issues raised.

But Lynn changed his mind at the last minute, prompting his resignation. "Mike had a lot invested in this presentation," Mehta said.

Lynn discovered the IOS flaws while doing vulnerability research on IOS for ISS.

ISS reported the flaw to Cisco, which has since released upgrades for IOS that fix the problem, and halted downloads of older IOS versions that contain it, Lynn said.

Resource Library:

According to Lynn, flaws in IOS could allow attackers to use "heap overflows" to crash Cisco routers running IOS by sending chunks of data to Cisco devices running IOS that overwrite memory.

In order to get the overflows to work, Lynn manipulated IOS to disable a process called "check heap," which is designed to detect such irregularities, and used an older exploit, known as an "uncontrolled pointer exchange," to trick vulnerable Cisco devices into running attack code.

The technique developed by Lynn would give remote attackers access to the IOS "shell," from which the attacker could control the device.

With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

Click here to read more from columnist Larry Loeb about Ciscos VOIP timeout issues.

Interest in Lynns talk was high, after word of the late-night quashing of the talk circulated around the conference.

In a bit of drama that has become a hallmark of Black Hat, attendees to Lynns talk were initially told that the IOS exploit would not be discussed because of "circumstances beyond our control," and that Lynn would discuss a security hole in the VOIP (voice over IP) protocol instead.

But in a dramatic turn of events, Lynn reversed course, informed audience members that he had quit ISS and would discuss the hole, even though he had been told that doing so would result in him being sued by his former employer and by ISS.

Lynn said he felt compelled to discuss the hole because hackers had "already stolen the IOS source code" and "you dont steal the IOS source code to not hack routers," he said.

He declined to elaborate on the charge that hackers had made off with the source code, which would make it easy for them to find IOS security flaws.

While code to exploit the IOS vulnerability would be difficult to distribute as an Internet worm, such an attack isnt impossible, he said.

Cisco is not aware of a theft of its IOS code beyond an unauthorized leak of portions of the IOS source code in May 2004, a company spokesperson said.

Companies that are running up-to-date versions of Cisco IOS software, or "firmware," are probably not vulnerable to the attack, he said.

ISS had been planning to discuss the hole at Black Hat, but was contacted by Cisco last week when the companies agreed to cancel or scale back the talk, giving Cisco more time to make IOS "immune" to attack, Mehta said.

After learning of Lynns plans to present information on the IOS exploit at the Black Hat conference on Wednesday, however, Cisco and ISS demanded that Black Hat organizers cancel the talk and sent representatives to remove any information pertaining to the problem from conference materials.

As of Wednesday morning, 20 pages concerning the hole were cut out of conference briefings, and CDs containing show presentations were not being distributed with show materials.

Cisco and ISS had decided in early July that the presentation should not be given at Black Hat, but learned last week that an early draft of the presentation had made it into the conference proceedings anyway, a Cisco spokesperson said.

A Black Hat spokesperson said the company was not available to comment because executives were still consulting with lawyers about the incident.

Mehta also declined to comment on what actions his company might take against Lynn or Black Hat organizers.

However, a Cisco spokesperson acknowledged that ISS and Cisco had filed a temporary restraining order and injunction against Lynn and Black Hat in the U.S. District Court for the Northern District of California in San Jose to prevent them from disseminating information about the IOS security holes.

Many attendees applauded Lynns actions, but took issue with the alleged efforts by Cisco and ISS to quash discussion of the hole.

Ali-Reza Anghaie, a senior systems engineer for an aerospace company who attended the show, expressed outrage at ISS, which he accused of caving to pressure from Cisco.

The company, which sells vulnerability scanning technology, has an obligation to reveal details of security holes to customers.

"As a customer, [ISS] cant put me in the position where theyre providing protection for security holes, but not telling me what the holes are," he said.

Mehta expressed disappointment about the way in which the IOS talk was handled, but said that the IOS exploit was not technically a vulnerability, but an "architecture issue," on which ISS wouldnt necessarily brief customers.

Editors Note: This story was updated to clarify the details of Lynns presentation and to include statements from a Cisco spokesperson and Neel Mehta, a researcher with ISSs X-Force.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Cisco Tries to Quash Vulnerability Talk at Black Hat
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}R!bޡ|Ⱥ_; ngw!Ke[,H2=/ؗg̪asav[ʪև$i9#rSkj΢6w}[f8TE[ \ߤ~Am;t =4mzNHB~}@~cfK`OS[S uɘZqXɈQߖ>}~qd  .hrLIlGtuGpfzA|>QѺ>QQy$pm< 6F]'w*G 0t'DGþ=a]%S5EpHԤ#|O >ȀYFz.Qu^Vl l׸ڮb'Uƞͨ* /B1r!f-{4ɿTݑ[ L=iLVC;%0ýtf?;9zu v}J2GJ73' }KwH;R@}kz>5I ib1lp2E%$7 .q_-0/<mqz]]MDZwS>dRr-2^˲nMw 3a[mѡlطZ.i5E9(Uw+{ށQT/[L,\hFusj]t/gW~]`-v4򺮕=u9yи} d}-5U%`ZJ4_c::-gv}j^ ty[4E;J KHs = (2!,![cҺ쵮鵎ۭdo̲6<jUӀ* nJw3D~ ,W7'77MtqsEVN}B'j`BcYuuUo~=Wco!ab; dPp9L+pZ' ?wz_ZdBO#Rdt$ǽcYu'P[,. RGrZ~@X*V0Uhf5 t @CX&%4ɄSHu t:g9A}I'Խ=6kiLuV!`BC`ukj G@kFPYXa6R\ 9jb3v!fB;Mߧ,-|yEU>hi"F[8 .+J!bN3̤"ȅQ.% .Ć>Lb8O૦Źxuwެ.e4ޙϋ~鮂KwQ}nUOnyڂ)3G#洋вns7MGZKLUn`**{r[TQnűl :2X jXR7PaQp 0hv?OiM'89yt$AG61^zK ucl>#ä p;pw>-Fv1S{Q {>0iCkB^D4i-D@wM0Ie+! uG νdrgoMA(oIn@X^0 vjipHpyY?)B]uCbӀB=`Mkwe95(u%2R}c9>] CRRR$S]HPw9DJ B!B0H V0({ aݴ\.y"u':ݑW.ڹLXأXB YX/E_R23#CdɬaX91{MfT`"[ᛥLKak`F][U4mRO4Mh af{@Zgée K0آ:!9?b! s WQ'c: ?{\ !7!q"%3t0x>f"̴b֜Ei|X#Xc ݜX,ǖ1&&B~aZ&4" 7vyE"9a* ,q[riׁfX8ȣ=p TfҬ||=厬m[4@>|z].z:ԍ$r%5kb$T`CL q^i.:[@w\g˪kͲT]ٽ/ 7ryG0sm-K;",6@1++;WKc: _hihH*E6@\Z2,c %␘ 0ZKpcʻ:>{j aaC_/UKW3C ZYSj2ej-[`B]PeܠQ@7%XSPQ[ tpkuPCߵ |!7c=ds쀡rΦ>G) zc7HhpLa1e ƤԚLkQAa ĵa`{s?9pJ/]{6,ݙ_ݓ⺰#]6޹5"@0mE"=~`iNR} в^z`ٳU?uoqj)ՅI ,䧒RVJ~&[b"ud\6˰@\kOa3H\RZr>J+"Xk8:T:4&6Wނ"m'uX2]jL}tvǜ}h3ʋ2 i@z"RJZ585jZ͎=>iP2~2j&8x_ㄯ8W}ˬ7?K'_>k냩ܦpKsOS+p1c# ,c0+fW S#SqO)ӔWDF(/9 .KTNj siz0_n?9!G7/=ϼxN"9ym2-%8z0JM;%9$_ۀ3JnYuitLeb`l "Z`|iY`&c1 s*? |l3pڳ N`Nɧb_+Xcփ0 J}SO>yUc6~zi1b(n<0{L3wB=ִ Phni`dmh{{^EK-g}X} 2␞é^OR4r>nz*eR)Yi 2=cte>u1#i}KU>ה*eʬ]o(QUmq'F.҄^K]bRvQLv$ME"[,qde l&SJ_ʼnZkRS+F`"U!TP>y#_7)~(zC9km^>s꧴ zQR4JRU-+)CoED\vK9 ^L lZKqXAKkp= -2j=uR+̖ K%4e%3E/-GXmlC 5@ E D@D;n?% ?S-l8-F:~ݕDw[ݴ{g}eO:i^Ͽ&~f?Н :{>aa= gY/ЏֿH LЇ_q}R> jXj_4O[lb4sLAIP 4p? YOճ]U}y*]: yEp0Z<!hTu.iR|s޹Gy%{uDs9ADH>KrBëֈdȰV Z(Xĥs}ܺ̂sӜ4"Z?N3bn *qZD_aݪ,d<0!&*Vktr}E9ǀzB,2q^7G:KyP^S(+RJ"4FYM |ώ[G&g <>G&9FpDmEnE,}+)Fy*}y:}_exH+BY1g%VIϤsCHI NAv}9oq_4Ĩ9cn1x-6ܺN'c4sJd":Q%;)~ZOCT䵴f[YUHO~D!gqbwyfAH0GWeսnq ]ȩWugXԧ;E~"rntL7íԎ+*sy"O+:^ GW .[ }vgNأ&k{ ?gdĎ%Ƙ{`sBk8CלO(|si9c<3m~`'6"%Ԫ9GqXx,>V7]vYp]9Qz AC~g}\0n3|}m7|O0w+ml>8ninmǡ8 0Vd$4P$EUՊZr,"2NIJa+>8zdM#}ݺJfyӼ0hɘApl7B_7nC]Ad^s@k~ͤa ]ek;^RwnomVZtC.qD^-^RRIJ>]'ϫ@" b^_BIMwzZVN Ȧw13~!O O=qԲىY|Wyg>,da6з0[+=)$Ιd<J;oݵM M A;&JX۴ rUCaM_*Z/0i0pDa$\}5 _;bE Iu1^[Q|=_O8s{M4jZSWל7&/6).wi{\nEaQ(^ > |"s(u±KtvZ:LgFM-ފyti2jI `.zOF{p|K&059j͒d@[rƘ\`-# Ɨ4O)PG#ЉJֶ8 Y[A(z%@K`\=9?вm\YNUWǓ>&e ?ukOG3i-w/iؖ-;`&EnoؙcADGA;Q͏ۍ"@v+<mC2gC|FzC>ymNmwc.OclPl`+O/nk;&$6탭τEC s~ \U&b !d9é߆+vK7J}a&@8b+a>Vaj>)Տ։vR۔%CuI'+%qKMmcV2O&ǔ.TI?yF"^\Q+{œnK,grri"V$ocDH\ns/2`퓅dOO}j/g"]ab^A(!ڞ` 8;B$>)OE})26%!#9lwaCX`$`w#6jrhYƚ/n`'~HPmw9Mai li֘ZX#t#J& P}qigtcXf [ !}6F`p @5H0@D"m i!ʍ߈*moD 2r8kXXXXv?Ś諗fTK.JW[/]!opp'i~XܜzM}*"j򼛬&O׾ #A_8k/9i`3 bVn8h?m@^P^QcUɚcVz"$]BE#t3 ]_j_UF3ND%=IʈuY ]=6zm͑}5itLe%"%QeRwtB#aؘtdVz3:̻JCk{͜#7`z1I:[E,R"brN5I$F͐\/9wFevCA۵¹ ƜՒ;ZfZY|:Hm&.QKmsx;k0V%/JƋ[_v/12ЎfY 􇏧*SK'1>2o^)hl*wiaaaa{ݲRm[lTR҅Earpq2YzStmXa}XPv''LD8$z "_:ۜ6ƽiwͭ2Y]@p n4Nqu5c @#pDo!=F{]\{1υ!PJЕxE^/Xİ0V'+ `D{{Dx O>9t{ݦtJ: AU' \Ѓp P@AfŗZݞGzq/DMnlXOs`ʵqt8& +MKa)fi`&_۫>@rU7s QxQ FhFFk{/ÜϺ'mzc;MLS3GCV]UKc9\jcVсݼaN oz}yEX\o ^mwq8c c%?kQ=r QEP\Y@7{vK ߁s<_OŁ~Lû2qW qjJ;6[w6vj}eo3";A[Vxi`W[ul<)/3Փy0mum-6bVĽ 畲\Q -_ߩl]=tY@m Aɼ#Ь$5VfX-)j%M"q0M++℉fai%SH5P"?F" )zuKפ;s|:ۘKϠ)8weS?c {b闶V0Ч% d qM۞ 'Aat]b1Y#;Ћ','d))00&i݀5,qt7I ̰2.-£EfގvPo|֊OZڒYΞëB(a%<{:ͨ,$tIz iWj/\n PAgXt~D).RVfStc 6fa6::MSܒC~RJ~+`M0їoE7{d¤ZXt'Ows "" ;0M!r~xS*'@ ]{r 8A^E1SʉmOVxLU qmc2\X;x;$USEPn98!#9tylX@e9F?PM}[5(C^P"^’{M}1Iڲ9ڒ77%AE6J-="@Ÿ Rxc)A%+}ۏAB,p}&6K fZ SPEmMEfIȢD1E\1]U=ub? @utNk-b"K]Ζ1xy[/ޏz'5aL6P;ɫlNz ԣ:BMu)T#j%x#-o>Au=zVŠx!y=fB׵Gao=!vcK7K5S]<_q=%o7^֝eؓRc̳-*);,Ou-A4`}*fZ%2Y70VV@+)eRxʋzhNx29b'L H$Z[.gн<#hHYW2 l0VY&9Z`3+n}l˪ZMɶ8+YlwNQgg)q8 @gxjHw,S!:맲y԰t|G*_[Ex9*{ f=0vUU,?y`k&OobD+))3윶BwCˠOטP8C c &k)<6$Ae5T?0' )U 5 Ui_ĥ8AnIe,m6.&=^8EG :SZ=Fd>^pXJӑu /`|$wz̥7d?= ͸8}uǃ""a=X 2>nde2GjLl//uh99lt[^뺋3wB&!x=c]A h3>z(4x Jߩ1v> CROwE)dA4A ]؅ي_?!L\oX|J71k >BZp4a![޺)% cDR/sO0ឩHT VdL4"&(qTiK$>&).yci 8^yN4WZ oX22 =܇>RXX_1[U=LꚂOJBveX zԙykwyWfE3{8~\OSz% %uW0`A i2dg4t\@%;$$ ͈ɵ7֝ 14ο5iVt?vWv;7x Zҷh+lԍs9rԹrҾl]]/{ƉL_s}i)|Q)X7MGYFybvʔPN:#ͅf1.ys8,tG_0=4efO|;R(/& /:E~W?cz ׭nW˧V֚C}yW'>;ȑkh t{r:X)` чzIeos@1@C|mzs*4"J6ρss_sʯzuQ8SށNN9rzou1ตS~GO>'99Z]~.4ګDžF8gڗ9vN?wsʿ@<>v/ry9\"?/?/re2P9 r)r˜̑K˜@;9N~+S:7./PO_r3+>9~7P~W{ÿ7MN779$)gf5pvʻ0\hK"~)P'9{P* ~2*ΕR+@nW~_} ks^WKͮ0Tntů-5n+ Ǥjuv ^_@%\e$2/M&>#(R^>Ȧc 4rk 7[yDYII{2}tEi>ri;GLweţu6l]{_ЯҺl-ЙN%ga]eX/Us !Qa7Ejorx s)螩z$oF =s~k#uoIʮUVjpwr.YcbuA$&4vXw%P<# .=u^et fMȡ!pCfJC#Dk( }:^Ǭ*V,6of.3^46T<gU~ o'2@7 5[ŨЫ逕@NS'kc5q) ՞ٕv"n42w)z6+eP4Ǎa&r4jn4@;4Hr(9?gb zu K'Dr&߼)=tφ U/ADZeMY򿦖q˭d<@T6? 9oCI.^,˃aͱyCw|`bȜ.^" 8luy1M< .ixʵT`a\8}I8q0yA3LΊqM HPf]32l/x§On3E ^ :OCɡ ( kEF(l#byCܜ0@PJMXv&K< 0'O=8Ï CqzvwұDiqgŕIœj@@z6o2~ar'3v!tAu<z_L&)Ҵ }dl0/3./Dl6K:_13}tǔ:x#<w>aBv3 ^l x$Qd/I';-#%0uocOIl@O咤 X1W䁝gAg|bOhN[/TùLHd v"ѡsRF B bsފaC6:+2=jSo:h}vWS^eo,"m,?hPP"#q} !3FaZDAR$~hD<`oȢsL ALH\>oz^DbtΚb'OQ0^R sMq퀷p5>\Tx/ē_| Њ3g`'u YұߚP TDO^[|Q_ۗG@1agGێQgW_wD.M%Cb9G$]! ""_SaoilyNq2I0 n9i63X:9Am&{'nk_6܅eNUhJl9ud2-kc'pg!MXbsL/Tvy*s*>% , i?G7K:Ɛ/>-S)0_p,\ftO 6C|gKo?[죗i֟g%\!d3@WD0;"I}.KE0&(Xp\'AVΙَz"gw>G}d ȡ( l}i6xk9N`^ۺKAѮx'nat`[x)+^F:=O.CNMR>ǔ  ]'[ڧ3й?-Rw;ӭK73B*| X`GYe`+r8ǩk[mx: }uKe!)N1:Wz1?c9VI٦7G,cհ ¦u4m/l*c7W /ߴc7qݼgME>m*ЍO1igNb+c/χŀ-{̾!V^f-9uRdGB~DdaܐdZ.e~҅V*I,f`bQd+$*)ؐ kO`4bV@P1,3Qz7=O`N*)Asa#Dl ApN7fWm3S<"Y<.G7cyO|ODNű<<Sf )` |1CtFW3.rW=aMd}9o-\Uz,sٓN/<|;XYt mڊ']f*FRqOR|ju; XغqKG?^w>]Kы6Ҍ%!\ T>U}y~/7 ~c Whb<y&FG˳̺Uj*$