| By Security News Desk |
Article Rating: |
|
| August 1, 2005 04:00 AM EDT |
Reads: |
16,438 |
Security officials at Cisco have released a patch to fix the Internet Operating System (IOS) problem that resulted in 'Ciscogate' T-shirts going on sale last week in Las Vegas, after Michael Lynn — who gave a controversial presentation on Cisco security (or, rather, insecurity) at the Black Hat Security Conference — was the subject of a permanent injunction preventing him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which followed Black Hat.
Lynn, who has an extensive background in embedded systems, including kernel development and whose research interests include signals intelligence, cryptography, VoIP, reverse engineering, "and any protocol designed by committee," had recently been concentrating his research focus on securing critical routing infrastructures. As a result, his Black Hat talk was on how the Cisco IOS — the most widely deployed network infrastructure operating system — has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows...but isn't.
Lynn provided an architectural overview of IOS and explored the feasibility of code execution against Cisco routers.
This is where Cisco moved in. Wishing to curtail a sudden spate of buffer overflow exploits against the world's most widely deployed network infrastructure OS, Cisco immediately sought to silence Lynn on the basis that the information he was disseminating was "not in the best interest of protecting the Internet" and sure enough Lynn and his attorney eventually agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research.
Raven Alder (pictured), a senior security consultant and senior network engineer and speaker at the DEF CON hacker 
convention which followed Black Hat, then took up the issue, summarizing Lynn's findings and discussing potential vulnerabilities in Cisco's IOS that could be used to compromise the networking giant's products.
She said (to Cisco): "Hiding your head in the sand is not going to help; suing researchers is not going to help — Cisco, you are really screwing up here." The audience applause suggested Cisco would need to do a great deal to get back on cordial terms with the security research community, so the news that the company has now patched the flaw — even though it comes a day after the close of DEF CON 13 rather than while it was still running in Las Vegas — should be a good first step.
In its Security Advisory, Cisco says:
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.
Cisco has made free software available to address this vulnerability for all affected customers.
Subscribe to Virtualization Journal Email News Alerts
Subscribe via RSS
