I’ve talked about responsible and ethical disclosure before and I’ll be the first to speak out against reckless disclosures, but this was clearly not a case of irresponsible disclosure. This isn’t a case where a security researcher finds a serious vulnerability and then immediately releases the proof-of-concept exploit code to the whole world without notifying the vendor or let them have a chance to patch the hole. All Michael Lynn did was demonstrate for the first time in public that it is possible to take over a Cisco router to obtain “enable mode” (equivalent of the Windows “Administrator” account or UNIX “root” account) on a Cisco router that wasn’t running the latest IOS code. This was a demonstration that worked on existing vulnerabilities that were already patched. Michael Lynn simply wanted the world to know that the network backbone of the Internet and nearly every organization on the planet could be hijacked if the latest Cisco IOS software wasn’t installed. Cisco simply didn’t want anyone to talk about it in fear of negative PR and set out to put a gag on Black Hat 2005 which ironically has brought ten times the attention to the vulnerability that it would have had otherwise.
While most core Internet backbone routers are usually up-to-date because they can’t afford any kind of vulnerabilities leading to downtime or system compromise, this isn’t the case for most businesses and organizations where nearly all switches and routers are never routinely updated. Not only are they not routinely updated, it’s very common for Cisco switches and routers to be running on software that is 3 or more years old because they are thought of as plumbing that you just install and forget. There is still a wide spread belief that Cisco IOS could never be remotely exploited and the attitude that “if it ain’t broke don’t fix it”.
Another responsible Journalist who is speaking out!
Thanks George Ou!
Much more in the article – and – Cisco on July 29, 2005 (updated August 1, 2005) finally released a Security Advisory on this!
You will also notice that Owning IOS Black Hat 2005 has been majorly changed since yesterday when I looked at it. Here’s the quote on the page:
Revised August 1, 2005
NOTE: In response to legal action initiated by Internet Security Systems (ISS), photographs of Michael Lynn’s slides have been removed. Full copies of the presentation may still be found on the Internet.
The revised line is in bold red on the page.