Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Cisco Tries to Quash Vulnerability Talk at Black Hat

    By
    Paul F. Roberts
    -
    July 27, 2005
    Share
    Facebook
    Twitter
    Linkedin

      A discussion of vulnerability in Cisco Systems Inc.s IOS provoked controversy at this years Black Hat Briefings conference in Las Vegas, after the San Jose, Calif., networking vendor forced conference organizers to physically remove notes on the strategy for remotely exploiting IOS systems from conference proceedings.

      The researcher, Michael Lynn, ultimately presented information on the hole, but only after resigning his position at the vulnerability research company ISS (Internet Security Systems).

      The security flaw affects all versions of the Internetwork Operating System, which runs on Cisco gear that forms the backbone of the Internet, and could be used to launch a “digital Pearl Harbor,” Lynn said, using a phrase coined by former White House cyber-security chief Richard Clarke to describe an unexpected attack that cripples the global Internet.

      A Cisco spokesperson acknowledged that the company had removed content pertaining to the IOS problem, saying that it was obtained illegally, and that the company was protecting its intellectual property.

      Cisco and ISS also jointly filed a request for an injunction and a cease-and-desist order in U.S. District Court for the Northern District of California.

      Neel Mehta, a researcher with ISSs X-Force, said Lynn had agreed to scale down the presentation on IOS after ISS and Cisco decided to give the San Jose networking equipment maker more time to work on the issues raised.

      But Lynn changed his mind at the last minute, prompting his resignation. “Mike had a lot invested in this presentation,” Mehta said.

      Lynn discovered the IOS flaws while doing vulnerability research on IOS for ISS.

      ISS reported the flaw to Cisco, which has since released upgrades for IOS that fix the problem, and halted downloads of older IOS versions that contain it, Lynn said.

      According to Lynn, flaws in IOS could allow attackers to use “heap overflows” to crash Cisco routers running IOS by sending chunks of data to Cisco devices running IOS that overwrite memory.

      In order to get the overflows to work, Lynn manipulated IOS to disable a process called “check heap,” which is designed to detect such irregularities, and used an older exploit, known as an “uncontrolled pointer exchange,” to trick vulnerable Cisco devices into running attack code.

      The technique developed by Lynn would give remote attackers access to the IOS “shell,” from which the attacker could control the device.

      With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.

      /zimages/1/28571.gifClick here to read more from columnist Larry Loeb about Ciscos VOIP timeout issues.

      Interest in Lynns talk was high, after word of the late-night quashing of the talk circulated around the conference.

      In a bit of drama that has become a hallmark of Black Hat, attendees to Lynns talk were initially told that the IOS exploit would not be discussed because of “circumstances beyond our control,” and that Lynn would discuss a security hole in the VOIP (voice over IP) protocol instead.

      But in a dramatic turn of events, Lynn reversed course, informed audience members that he had quit ISS and would discuss the hole, even though he had been told that doing so would result in him being sued by his former employer and by ISS.

      Lynn said he felt compelled to discuss the hole because hackers had “already stolen the IOS source code” and “you dont steal the IOS source code to not hack routers,” he said.

      He declined to elaborate on the charge that hackers had made off with the source code, which would make it easy for them to find IOS security flaws.

      While code to exploit the IOS vulnerability would be difficult to distribute as an Internet worm, such an attack isnt impossible, he said.

      Cisco is not aware of a theft of its IOS code beyond an unauthorized leak of portions of the IOS source code in May 2004, a company spokesperson said.

      Companies that are running up-to-date versions of Cisco IOS software, or “firmware,” are probably not vulnerable to the attack, he said.

      ISS had been planning to discuss the hole at Black Hat, but was contacted by Cisco last week when the companies agreed to cancel or scale back the talk, giving Cisco more time to make IOS “immune” to attack, Mehta said.

      After learning of Lynns plans to present information on the IOS exploit at the Black Hat conference on Wednesday, however, Cisco and ISS demanded that Black Hat organizers cancel the talk and sent representatives to remove any information pertaining to the problem from conference materials.

      As of Wednesday morning, 20 pages concerning the hole were cut out of conference briefings, and CDs containing show presentations were not being distributed with show materials.

      Cisco and ISS had decided in early July that the presentation should not be given at Black Hat, but learned last week that an early draft of the presentation had made it into the conference proceedings anyway, a Cisco spokesperson said.

      A Black Hat spokesperson said the company was not available to comment because executives were still consulting with lawyers about the incident.

      Mehta also declined to comment on what actions his company might take against Lynn or Black Hat organizers.

      However, a Cisco spokesperson acknowledged that ISS and Cisco had filed a temporary restraining order and injunction against Lynn and Black Hat in the U.S. District Court for the Northern District of California in San Jose to prevent them from disseminating information about the IOS security holes.

      Many attendees applauded Lynns actions, but took issue with the alleged efforts by Cisco and ISS to quash discussion of the hole.

      Ali-Reza Anghaie, a senior systems engineer for an aerospace company who attended the show, expressed outrage at ISS, which he accused of caving to pressure from Cisco.

      The company, which sells vulnerability scanning technology, has an obligation to reveal details of security holes to customers.

      “As a customer, [ISS] cant put me in the position where theyre providing protection for security holes, but not telling me what the holes are,” he said.

      Mehta expressed disappointment about the way in which the IOS talk was handled, but said that the IOS exploit was not technically a vulnerability, but an “architecture issue,” on which ISS wouldnt necessarily brief customers.

      Editors Note: This story was updated to clarify the details of Lynns presentation and to include statements from a Cisco spokesperson and Neel Mehta, a researcher with ISSs X-Force.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Paul F. Roberts
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×