Cisco Tries to Quash Vulnerability Talk at Black HatBy Paul F. Roberts | Posted 2005-07-27 Email Print
Updated: A researcher followed through with a presentation on a security hole in Cisco's IOS even after the network equipment company theatened to shut down the conference if the information wasn't suppressed.A discussion of vulnerability in Cisco Systems Inc.'s IOS provoked controversy at this year's Black Hat Briefings conference in Las Vegas, after the San Jose, Calif., networking vendor forced conference organizers to physically remove notes on the strategy for remotely exploiting IOS systems from conference proceedings.
The researcher, Michael Lynn, ultimately presented information on the hole, but only after resigning his position at the vulnerability research company ISS (Internet Security Systems).
The security flaw affects all versions of the Internetwork Operating System, which runs on Cisco gear that forms the backbone of the Internet, and could be used to launch a "digital Pearl Harbor," Lynn said, using a phrase coined by former White House cyber-security chief Richard Clarke to describe an unexpected attack that cripples the global Internet.
Neel Mehta, a researcher with ISS's X-Force, said Lynn had agreed to scale down the presentation on IOS after ISS and Cisco decided to give the San Jose networking equipment maker more time to work on the issues raised.
But Lynn changed his mind at the last minute, prompting his resignation. "Mike had a lot invested in this presentation," Mehta said.
Lynn discovered the IOS flaws while doing vulnerability research on IOS for ISS.
ISS reported the flaw to Cisco, which has since released upgrades for IOS that fix the problem, and halted downloads of older IOS versions that contain it, Lynn said.
According to Lynn, flaws in IOS could allow attackers to use "heap overflows" to crash Cisco routers running IOS by sending chunks of data to Cisco devices running IOS that overwrite memory.
In order to get the overflows to work, Lynn manipulated IOS to disable a process called "check heap," which is designed to detect such irregularities, and used an older exploit, known as an "uncontrolled pointer exchange," to trick vulnerable Cisco devices into running attack code.
The technique developed by Lynn would give remote attackers access to the IOS "shell," from which the attacker could control the device.
With control of a Cisco router running IOS, for example, attackers could control or snoop on the content of network traffic passing through the device, Lynn said.
Interest in Lynn's talk was high, after word of the late-night quashing of the talk circulated around the conference.
In a bit of drama that has become a hallmark of Black Hat, attendees to Lynn's talk were initially told that the IOS exploit would not be discussed because of "circumstances beyond our control," and that Lynn would discuss a security hole in the VOIP (voice over IP) protocol instead.
But in a dramatic turn of events, Lynn reversed course, informed audience members that he had quit ISS and would discuss the hole, even though he had been told that doing so would result in him being sued by his former employer and by ISS.
Lynn said he felt compelled to discuss the hole because hackers had "already stolen the IOS source code" and "you don't steal the IOS source code to not hack routers," he said.
He declined to elaborate on the charge that hackers had made off with the source code, which would make it easy for them to find IOS security flaws.
While code to exploit the IOS vulnerability would be difficult to distribute as an Internet worm, such an attack isn't impossible, he said.
Cisco is not aware of a theft of its IOS code beyond an unauthorized leak of portions of the IOS source code in May 2004, a company spokesperson said.
Companies that are running up-to-date versions of Cisco IOS software, or "firmware," are probably not vulnerable to the attack, he said.
ISS had been planning to discuss the hole at Black Hat, but was contacted by Cisco last week when the companies agreed to cancel or scale back the talk, giving Cisco more time to make IOS "immune" to attack, Mehta said.
After learning of Lynn's plans to present information on the IOS exploit at the Black Hat conference on Wednesday, however, Cisco and ISS demanded that Black Hat organizers cancel the talk and sent representatives to remove any information pertaining to the problem from conference materials.
As of Wednesday morning, 20 pages concerning the hole were cut out of conference briefings, and CDs containing show presentations were not being distributed with show materials.
Cisco and ISS had decided in early July that the presentation should not be given at Black Hat, but learned last week that an early draft of the presentation had made it into the conference proceedings anyway, a Cisco spokesperson said.
A Black Hat spokesperson said the company was not available to comment because executives were still consulting with lawyers about the incident.
Mehta also declined to comment on what actions his company might take against Lynn or Black Hat organizers.
However, a Cisco spokesperson acknowledged that ISS and Cisco had filed a temporary restraining order and injunction against Lynn and Black Hat in the U.S. District Court for the Northern District of California in San Jose to prevent them from disseminating information about the IOS security holes.
Many attendees applauded Lynn's actions, but took issue with the alleged efforts by Cisco and ISS to quash discussion of the hole.
Ali-Reza Anghaie, a senior systems engineer for an aerospace company who attended the show, expressed outrage at ISS, which he accused of caving to pressure from Cisco.
The company, which sells vulnerability scanning technology, has an obligation to reveal details of security holes to customers.
"As a customer, [ISS] can't put me in the position where they're providing protection for security holes, but not telling me what the holes are," he said.
Mehta expressed disappointment about the way in which the IOS talk was handled, but said that the IOS exploit was not technically a vulnerability, but an "architecture issue," on which ISS wouldn't necessarily brief customers.
Editor's Note: This story was updated to clarify the details of Lynn's presentation and to include statements from a Cisco spokesperson and Neel Mehta, a researcher with ISS's X-Force.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.