Russ Weighs in on Mike Lynn
Lynn's disclosure of the Cisco IOS vulnerability targets the technical, but what's really at issue is bad practices.
A presentation delivered at the Black Hat Conference
in Las Vegas demonstrated
how a vulnerable Cisco
router running an out-of-date version of the operating
could be attacked and completely compromised remotely.
Several events combined to make this a significant event. First, the presenter,
Mike Lynn, had been an employee of security company ISS up to
two hours before the talk. He resigned just before delivering the talk, which
included information Cisco claimed was proprietary and discovered by reverse
Cisco and ISS had been in talks to determine whether or not to allow Lynn to
deliver the scheduled talk. They decided that they would prohibit the presentation,
and Cisco employees physically removed all presentation materials from the Black
Hat presentation guide. Digital copies of the presentation guide containing
the IOS discussion were supposed to have been destroyed also. Lynn indicated
he would talk about a different subject, but when he started that alternate
discussion reports say that the audience became very upset. The presenter then
reverted to his originally planned IOS presentation.
Legal action was threatened by Cisco against various parties, including Lynn,
ISS and the Black Hat Conference organizers. The focus of this was the release
of proprietary Cisco information. The demonstration didn't provide proof-of-concept
code, although such code was allegedly included in the original presentation
removed from the conference guide. It demonstrated how to exploit previously
identified vulnerabilities in a new way which would result in an attacker being
able to execute code of his choice on the router. While it's been known that
routers are susceptible to buffer overflows, the demonstration proved that such
overflows could be controlled by the attacker to allow code of their choice
to execute. This was the revelation.
Lynn attempted to explain his actions by claiming he was trying to help the
national infrastructure, suggesting that not disclosing this information left
it with the malicious community only. Cybertrust has long felt this concept
-- disclose everything because it's potentially dangerous -- is an irresponsible
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
A vulnerability is a vulnerability, and its severity is generally a significant
variable. If a vulnerability purports to allow a Denial of Service attack, but
in reality could be exploited to run code of the attacker's choice, the severity
is increased. Improperly assessing severity could lead to unintended weaknesses
being tolerated; however, a router is a critical part of your security infrastructure
and should be updated on a regular basis, regardless of the severity of a vulnerability.
Anyone following this basic principle (or best practice) would not be vulnerable
to the attacks Lynn suggested.
As such, a claim that the demonstration helps the national infrastructure is
flawed on its premise. If the national infrastructure (or some part of it) has
not updated its router software to address already patched vulnerabilities,
the problem is not that these vulnerabilities can be exploited to run code of
the attacker's choice -- the problem is that generally accepted best practices
aren't being followed. It isn't the severity of the vulnerability that's preventing
the routers from being updated; it's the organization and procedures in place
for keeping routers up-to-date that are flawed.
So in all likelihood, the stated intention will result in more harm to the
national infrastructure than good.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.