Security Watch

Russ Weighs in on Mike Lynn

Lynn's disclosure of the Cisco IOS vulnerability targets the technical, but what's really at issue is bad practices.

• By Russ Cooper
• 08/22/2005

Several events combined to make this a significant event. First, the presenter, Mike Lynn, had been an employee of security company ISS up to two hours before the talk. He resigned just before delivering the talk, which included information Cisco claimed was proprietary and discovered by reverse engineering IOS.

Cisco and ISS had been in talks to determine whether or not to allow Lynn to deliver the scheduled talk. They decided that they would prohibit the presentation, and Cisco employees physically removed all presentation materials from the Black Hat presentation guide. Digital copies of the presentation guide containing the IOS discussion were supposed to have been destroyed also. Lynn indicated he would talk about a different subject, but when he started that alternate discussion reports say that the audience became very upset. The presenter then reverted to his originally planned IOS presentation.

Legal action was threatened by Cisco against various parties, including Lynn, ISS and the Black Hat Conference organizers. The focus of this was the release of proprietary Cisco information. The demonstration didn't provide proof-of-concept code, although such code was allegedly included in the original presentation removed from the conference guide. It demonstrated how to exploit previously identified vulnerabilities in a new way which would result in an attacker being able to execute code of his choice on the router. While it's been known that routers are susceptible to buffer overflows, the demonstration proved that such overflows could be controlled by the attacker to allow code of their choice to execute. This was the revelation.

Lynn attempted to explain his actions by claiming he was trying to help the national infrastructure, suggesting that not disclosing this information left it with the malicious community only. Cybertrust has long felt this concept -- disclose everything because it's potentially dangerous -- is an irresponsible approach.

A vulnerability is a vulnerability, and its severity is generally a significant variable. If a vulnerability purports to allow a Denial of Service attack, but in reality could be exploited to run code of the attacker's choice, the severity is increased. Improperly assessing severity could lead to unintended weaknesses being tolerated; however, a router is a critical part of your security infrastructure and should be updated on a regular basis, regardless of the severity of a vulnerability. Anyone following this basic principle (or best practice) would not be vulnerable to the attacks Lynn suggested.

As such, a claim that the demonstration helps the national infrastructure is flawed on its premise. If the national infrastructure (or some part of it) has not updated its router software to address already patched vulnerabilities, the problem is not that these vulnerabilities can be exploited to run code of the attacker's choice -- the problem is that generally accepted best practices aren't being followed. It isn't the severity of the vulnerability that's preventing the routers from being updated; it's the organization and procedures in place for keeping routers up-to-date that are flawed.

So in all likelihood, the stated intention will result in more harm to the national infrastructure than good.