Digital Edition

SYS-CON.TV
Cisco Patches Flaw Highlighted in Las Vegas Security Conferences
After Its Legal Tactics vs Michael Lynn, IOS Vulnerability Quickly Addressed

Security officials at Cisco have released a patch to fix the Internet Operating System (IOS) problem that resulted in 'Ciscogate' T-shirts going on sale last week in Las Vegas, after Michael Lynn — who gave a controversial presentation on Cisco security (or, rather, insecurity) at the Black Hat Security Conference — was the subject of a permanent injunction preventing him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which followed Black Hat.

Lynn, who has an extensive background in embedded systems, including kernel development and whose research interests include signals intelligence, cryptography, VoIP, reverse engineering, "and any protocol designed by committee," had recently been concentrating his research focus on securing critical routing infrastructures. As a result, his Black Hat talk was on how the Cisco IOS — the most widely deployed network infrastructure operating system — has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows...but isn't.

Lynn provided an architectural overview of IOS and explored the feasibility of code execution against Cisco routers.

This is where Cisco moved in. Wishing to curtail a sudden spate of buffer overflow exploits against the world's most widely deployed network infrastructure OS, Cisco immediately sought to silence Lynn on the basis that the information he was disseminating was "not in the best interest of protecting the Internet" and sure enough Lynn and his attorney eventually agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research.

Raven Alder (pictured), a senior security consultant and senior network engineer and speaker at the DEF CON hacker convention which followed Black Hat, then took up the issue, summarizing Lynn's findings and discussing potential vulnerabilities in Cisco's IOS that could be used to compromise the networking giant's products.

She said (to Cisco): "Hiding your head in the sand is not going to help; suing researchers is not going to help — Cisco, you are really screwing up here." The audience applause suggested Cisco would need to do a great deal to get back on cordial terms with the security research community, so the news that the company has now patched the flaw — even though it comes a day after the close of DEF CON 13 rather than while it was still running in Las Vegas — should be a good first step.

In its Security Advisory, Cisco says:

Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

Cisco has made free software available to address this vulnerability for all affected customers.

About Jeremy Geelan
Jeremy Geelan is Chairman & CEO of the 21st Century Internet Group, Inc. and an Executive Academy Member of the International Academy of Digital Arts & Sciences. Formerly he was President & COO at Cloud Expo, Inc. and Conference Chair of the worldwide Cloud Expo series. He appears regularly at conferences and trade shows, speaking to technology audiences across six continents. You can follow him on twitter: @jg21.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Cisco Patches Flaw Highlighted in Las Vegas Security Conferences. Security officials at Cisco have released a patch to fix the problem that resulted in 'Ciscogate' T-shirts going on sale last week in Las Vegas, after Michael Lynn - who gave a controversial presentation on Cisco security (or, rather, insecurity) at the Black Hat Security Conference - was the subject of a permanent injunction preventing him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which followed Black Hat.

Should a security problem be made public? Should it not? If you were driving a car that really needed to be recalled - wouldn't you want to know about it?

I'm glad for Michael Lynn that this affair ended quickly and not too harshly. Kudos to him for his courage.




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

CloudEXPO | DevOpsSUMMIT | DXWorldEXPO Silicon Valley 2019 will cover all of these tools, with the m...
Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism...
Technological progress can be expressed as layers of abstraction - higher layers are built on top of...
"Calligo is a cloud service provider with data privacy at the heart of what we do. We are a typical ...
Having been in the web hosting industry since 2002, dhosting has gained a great deal of experience w...
NanoVMs is the only production ready unikernel infrastructure solution on the market today. Unikerne...
SUSE is a German-based, multinational, open-source software company that develops and sells Linux pr...
Your job is mostly boring. Many of the IT operations tasks you perform on a day-to-day basis are rep...
When building large, cloud-based applications that operate at a high scale, it’s important to mainta...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, disc...
Big Switch's mission is to disrupt the status quo of networking with order of magnitude improvements...
Dynatrace is an application performance management software company with products for the informatio...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
All in Mobile is a mobile app agency that helps enterprise companies and next generation startups bu...
Yottabyte is a software-defined data center (SDDC) company headquartered in Bloomfield Township, Oak...
Serveless Architectures brings the ability to independently scale, deploy and heal based on workload...
Whenever a new technology hits the high points of hype, everyone starts talking about it like it wil...
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the c...
Bill Schmarzo, Tech Chair of "Big Data | Analytics" of upcoming CloudEXPO | DXWorldEXPO New York (No...
Chris Matthieu is the President & CEO of Computes, inc. He brings 30 years of experience in developm...