Re: Cisco IOS Exploit Cover Up

From: James Baldwin (no email)
Date: Thu Jul 28 2005 - 09:24:22 EDT

  • Next message: Jason Sloderbeck: "RE: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing"

    On Jul 28, 2005, at 3:29 AM, Neil J. McRae wrote:

    > I couldn't disagree more. Cisco are trying to control the
    > situation as best they can so that they can deploy the needed
    > fixes before the $scriptkiddies start having their fun. Its
    > no different to how any other vendor handles a exploit and
    > I'm surprised to see network operators having such an attitude.
    >

    That's part of the issue: this wasn't an exploit in the sense of
    something a $scriptkiddie could exploit. The sheer technical
    requirements of the exploit itself ensure that it will only be
    reproduced by a small number of people across the globe. There was no
    source or proof of concept code released and duplicating the
    information would only provide you a method to increase the severity
    of other potential exploits. It does not create any new exploits.
    Moreover, the fix for this was already released and you have not been
    able to download a vulnerable version of the software for months
    however there was no indication from Cisco regarding the severity of
    the required upgrade. That is to say, they knew in April that
    arbitrary code execution was possible on routers, they had it fixed
    by May, and we're hearing about it now and if Cisco had its way we
    might still not be hearing about it.

    How many network engineers knew there was a potential problem of this
    magnitude at the beginning of May? If, knock on wood, someone had
    released this code into the wild then how many networks who have been
    vulnerable despite the availability of a fix?

    Considering that Mr. Lynn's presentation was flawless, it is
    interesting to note that Cisco and ISS considered the information to
    be "not quite complete." This is especially interesting since the
    research was done weeks ago according the researcher. Its surprising
    that such a decision as to the incompleteness of the presentation and
    the retraction of Cisco's support for the presentation were withdrawn
    only several days before the talk. It would lead me to believe that
    both companies had less interest in a "process of disclosure and
    communication" and more with burying this information for a year or
    more.

    I agree with everyone that making attack tools and exploit
    information available to the public prior to a fix being generated
    with the vendor is a poor method of encouraging good security,
    however that is far from the case in this matter. A fix had been
    generated with the vendor and it was time that the information to
    become public so network operators understood that the remote
    execution empty world we had lived in until now was over.

    More links:
    http://www.wired.com/news/privacy/0,1848,68328,00.html?
    tw=wn_story_page_prev2
    http://securityfocus.com/news/11259


  • Next message: Jason Sloderbeck: "RE: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD