CISCO’s Attempt to gag a security whistleblower has backfired with the company now getting more publicity than they bargained for.
Cisco Systems Inc and Internet Security Systems Inc have failed to put the cat back in the bag, after an uncensored document detailing former ISS researcher Michael Lynn’s cracking of Cisco’s IOS software was broadly published online.
Less than a day after Cisco and ISS won a court injunction against Lynn and Black Hat 2005, the convention at which he presented his research, a PDF of his presentation hit several high-traffic web sites, blogs and mailing lists.The leaked document even contains text that Lynn voluntarily had redacted from the presentation when he delivered it live on Wednesday morning, such as the names of IOS code strings that could make it easier to recreate his research.
On Wednesday morning, Lynn quit his job at ISS in order to present his research, which shows that IOS, the software running most of the internet’s routers, can be remotely compromised using heap overflow attacks.He said he did it for national security reasons and to prevent Cisco and ISS burying the research. His critics said he did it for the glory. Cisco and ISS said they had tried to stop his presentation because the research was “incomplete”.
The full scope of how vulnerable IOS is to remote compromise still remains unclear. Cisco released an advisory on Friday that it said covered the vulnerability Lynn had disclosed, but it appeared to bear little resemblance to the Lynn paper.Cisco said in its advisory that IOS is vulnerable to an attack, but said: “Products running any version of Cisco IOS that do not have IPv6 configured interfaces are not vulnerable.” IPv6 is an emergent technology, implemented on relatively few routers.”Successful exploitation of the vulnerability may result in a reload of the device or execution of arbitrary code,” Cisco said. Patches for the IOS vulnerability were published months ago, a Cisco spokesperson confirmed.
However, nowhere in Lynn’s presentation is IPv6 mentioned, and IPv6 was not a core theme of his speech in Las Vegas on Wednesday.During that talk, Lynn focused mainly on how to remotely deactivate a problematic security countermeasure in IOS that he called “check heaps”, which he said normally prevents heap overflow attacks from working properly.Security mailing lists on Friday started filling with speculation that Cisco was attempting to “cover up” the extent of the problem by referring to it as an IPv6-only issue.
Lynn has said repeatedly that any fully patched router is probably safe, and Cisco has said there were no “new” vulnerabilities. But the research showed that such attacks are in fact possible, reversing conventional wisdom.
The vulnerability was described as not being “new” because it was already known to Cisco. A spokesperson for the company said Cisco follows responsible disclosure practices when it comes to vulnerabilities in its software.
“Cisco follows industry guidelines on the issue of security advisories,” he said. If Cisco sees the potential for exploitation, or if the vulnerability is publicly discussed, Cisco will then always issue a public advisory, the spokesperson said.
ISS had no comment on the broad leaking of the presentation, but Cisco said in an emailed statement: “We are going to take every reasonable measure to protect our customers and the integrity of the Internet.”
That may not necessarily mean that the integrity of the internet is in fact at risk, but it’s certainly possible to infer that from the statement. It’s not clear either what “reasonable measures” may be taken, and against whom.
However, now that the document is broadly available to anyone who wants it and knows how to use the internet, no matter what color hat they wear, it renders some parts of the Lynn injunction a little pointless.
That injunction forced Lynn to tell ISS and Cisco lawyers the names of “anyone to whom he has disclosed in written form or electronically” his presentation, and to refrain from distributing any information about his IOS research.
The injunction also forces Lynn to decrypt and hand over data in his control to an independent forensics investigator, who will, under a confidentiality order, search it for data relating to IOS. Any such data would be deleted and the disk area wiped.
The FBI is now reportedly investigating Lynn over allegations that he violated ISS trade secrets, although he claims he did not do anything criminal. An FBI spokesperson did not return a call for comment by press time.
Wired News quoted Lynn’s attorney as saying the FBI were probing, but that there was no arrest warrant and no evidence had been discovered that Lynn had committed a crime. She could not be reached for comment on Friday.
There were also various rumors going around Black Hat last week that President Bush was involved in the controversy, mostly of them along the lines that he had received a call from Cisco chief John Chambers and/or ISS boss Tom Noonan about the issue.
While that may end up in the annals of security apocrypha, there was, as there usually is, a government presence at Black Hat, and Lynn said they had been very interested in, even supportive of, his research.
He said that he had been sidelined by people from several “government agencies” immediately following his presentation and taken into an empty service corridor at Cesar’s Palace, where somebody said “Is the truck ready?”
The agency man was joking, but the Lynn is attracting this kind of attention because IOS is a critical piece of the internet’s infrastructure. Cisco’s owns half of the market for new router sales, and in previous years its share has been much higher.
A worm that exploited an IOS vulnerability could credibly be referred to as a “network killer”, though crashing routers would certainly impede propagation. Directed man-in-the-middle attacks to snoop on traffic would also be possible, according to Lynn.
Many people assume that security researchers working in the corporate or public domain tend to be somewhat behind well-funded government agencies. Many assume the US, China, Israel and others are well ahead of the curve on data security.
Lynn reasons that if he knows how to hack IOS, and Cisco knows how to hack IOS, somebody else probably knows how to hack IOS too, and that third person may either be not very nice, or an operative of an unfriendly government.