Security Watch

Russ Weighs in on Mike Lynn

Lynn's disclosure of the Cisco IOS vulnerability targets the technical, but what's really at issue is bad practices.

A presentation delivered at the Black Hat Conference in Las Vegas demonstrated how a vulnerable Cisco router running an out-of-date version of the operating system IOS could be attacked and completely compromised remotely.

Several events combined to make this a significant event. First, the presenter, Mike Lynn, had been an employee of security company ISS up to two hours before the talk. He resigned just before delivering the talk, which included information Cisco claimed was proprietary and discovered by reverse engineering IOS.

Cisco and ISS had been in talks to determine whether or not to allow Lynn to deliver the scheduled talk. They decided that they would prohibit the presentation, and Cisco employees physically removed all presentation materials from the Black Hat presentation guide. Digital copies of the presentation guide containing the IOS discussion were supposed to have been destroyed also. Lynn indicated he would talk about a different subject, but when he started that alternate discussion reports say that the audience became very upset. The presenter then reverted to his originally planned IOS presentation.

Legal action was threatened by Cisco against various parties, including Lynn, ISS and the Black Hat Conference organizers. The focus of this was the release of proprietary Cisco information. The demonstration didn't provide proof-of-concept code, although such code was allegedly included in the original presentation removed from the conference guide. It demonstrated how to exploit previously identified vulnerabilities in a new way which would result in an attacker being able to execute code of his choice on the router. While it's been known that routers are susceptible to buffer overflows, the demonstration proved that such overflows could be controlled by the attacker to allow code of their choice to execute. This was the revelation.

Lynn attempted to explain his actions by claiming he was trying to help the national infrastructure, suggesting that not disclosing this information left it with the malicious community only. Cybertrust has long felt this concept -- disclose everything because it's potentially dangerous -- is an irresponsible approach.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

A vulnerability is a vulnerability, and its severity is generally a significant variable. If a vulnerability purports to allow a Denial of Service attack, but in reality could be exploited to run code of the attacker's choice, the severity is increased. Improperly assessing severity could lead to unintended weaknesses being tolerated; however, a router is a critical part of your security infrastructure and should be updated on a regular basis, regardless of the severity of a vulnerability. Anyone following this basic principle (or best practice) would not be vulnerable to the attacks Lynn suggested.

As such, a claim that the demonstration helps the national infrastructure is flawed on its premise. If the national infrastructure (or some part of it) has not updated its router software to address already patched vulnerabilities, the problem is not that these vulnerabilities can be exploited to run code of the attacker's choice -- the problem is that generally accepted best practices aren't being followed. It isn't the severity of the vulnerability that's preventing the routers from being updated; it's the organization and procedures in place for keeping routers up-to-date that are flawed.

So in all likelihood, the stated intention will result in more harm to the national infrastructure than good.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular