Digital Edition

SYS-CON.TV
Cisco Patches Flaw Highlighted in Las Vegas Security Conferences
After Its Legal Tactics vs Michael Lynn, IOS Vulnerability Quickly Addressed

Security officials at Cisco have released a patch to fix the Internet Operating System (IOS) problem that resulted in 'Ciscogate' T-shirts going on sale last week in Las Vegas, after Michael Lynn — who gave a controversial presentation on Cisco security (or, rather, insecurity) at the Black Hat Security Conference — was the subject of a permanent injunction preventing him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which followed Black Hat.

Lynn, who has an extensive background in embedded systems, including kernel development and whose research interests include signals intelligence, cryptography, VoIP, reverse engineering, "and any protocol designed by committee," had recently been concentrating his research focus on securing critical routing infrastructures. As a result, his Black Hat talk was on how the Cisco IOS — the most widely deployed network infrastructure operating system — has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows...but isn't.

Lynn provided an architectural overview of IOS and explored the feasibility of code execution against Cisco routers.

This is where Cisco moved in. Wishing to curtail a sudden spate of buffer overflow exploits against the world's most widely deployed network infrastructure OS, Cisco immediately sought to silence Lynn on the basis that the information he was disseminating was "not in the best interest of protecting the Internet" and sure enough Lynn and his attorney eventually agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research.

Raven Alder (pictured), a senior security consultant and senior network engineer and speaker at the DEF CON hacker convention which followed Black Hat, then took up the issue, summarizing Lynn's findings and discussing potential vulnerabilities in Cisco's IOS that could be used to compromise the networking giant's products.

She said (to Cisco): "Hiding your head in the sand is not going to help; suing researchers is not going to help — Cisco, you are really screwing up here." The audience applause suggested Cisco would need to do a great deal to get back on cordial terms with the security research community, so the news that the company has now patched the flaw — even though it comes a day after the close of DEF CON 13 rather than while it was still running in Las Vegas — should be a good first step.

In its Security Advisory, Cisco says:

Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

Cisco has made free software available to address this vulnerability for all affected customers.

About Jeremy Geelan
Jeremy Geelan is Chairman & CEO of the 21st Century Internet Group, Inc. and an Executive Academy Member of the International Academy of Digital Arts & Sciences. Formerly he was President & COO at Cloud Expo, Inc. and Conference Chair of the worldwide Cloud Expo series. He appears regularly at conferences and trade shows, speaking to technology audiences across six continents. You can follow him on twitter: @jg21.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Cisco Patches Flaw Highlighted in Las Vegas Security Conferences. Security officials at Cisco have released a patch to fix the problem that resulted in 'Ciscogate' T-shirts going on sale last week in Las Vegas, after Michael Lynn - who gave a controversial presentation on Cisco security (or, rather, insecurity) at the Black Hat Security Conference - was the subject of a permanent injunction preventing him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which followed Black Hat.

Should a security problem be made public? Should it not? If you were driving a car that really needed to be recalled - wouldn't you want to know about it?

I'm glad for Michael Lynn that this affair ended quickly and not too harshly. Kudos to him for his courage.




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

A valuable conference experience generates new contacts, sales leads, potential strategic partners a...
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can ...
Containers and Kubernetes allow for code portability across on-premise VMs, bare metal, or multiple ...
We are seeing a major migration of enterprises applications to the cloud. As cloud and business use ...
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st I...
DXWorldEXPO LLC announced today that "IoT Now" was named media sponsor of CloudEXPO | DXWorldEXPO 20...
In this presentation, you will learn first hand what works and what doesn't while architecting and d...
SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22n...
Everyone wants the rainbow - reduced IT costs, scalability, continuity, flexibility, manageability, ...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT...
SYS-CON Events announced today that DatacenterDynamics has been named “Media Sponsor” of SYS-CON's 1...
DXWorldEXPO LLC announced today that All in Mobile, a mobile app development company from Poland, wi...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point wh...
Andi Mann, Chief Technology Advocate at Splunk, is an accomplished digital business executive with e...
DXWorldEXPO LLC announced today that ICOHOLDER named "Media Sponsor" of Miami Blockchain Event by Fi...
Today, we have more data to manage than ever. We also have better algorithms that help us access our...
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: D...
DevOpsSummit New York 2018, colocated with CloudEXPO | DXWorldEXPO New York 2018 will be held Novemb...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, ...
@DevOpsSummit at Cloud Expo, taking place November 12-13 in New York City, NY, is co-located with 22...