Digital Edition

SYS-CON.TV
Cisco Patches Flaw Highlighted in Las Vegas Security Conferences
After Its Legal Tactics vs Michael Lynn, IOS Vulnerability Quickly Addressed

Security officials at Cisco have released a patch to fix the Internet Operating System (IOS) problem that resulted in 'Ciscogate' T-shirts going on sale last week in Las Vegas, after Michael Lynn — who gave a controversial presentation on Cisco security (or, rather, insecurity) at the Black Hat Security Conference — was the subject of a permanent injunction preventing him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which followed Black Hat.

Lynn, who has an extensive background in embedded systems, including kernel development and whose research interests include signals intelligence, cryptography, VoIP, reverse engineering, "and any protocol designed by committee," had recently been concentrating his research focus on securing critical routing infrastructures. As a result, his Black Hat talk was on how the Cisco IOS — the most widely deployed network infrastructure operating system — has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows...but isn't.

Lynn provided an architectural overview of IOS and explored the feasibility of code execution against Cisco routers.

This is where Cisco moved in. Wishing to curtail a sudden spate of buffer overflow exploits against the world's most widely deployed network infrastructure OS, Cisco immediately sought to silence Lynn on the basis that the information he was disseminating was "not in the best interest of protecting the Internet" and sure enough Lynn and his attorney eventually agreed to a permanent injunction that prevents him from using any Cisco code in his possession for further reverse engineering or security research.

Raven Alder (pictured), a senior security consultant and senior network engineer and speaker at the DEF CON hacker convention which followed Black Hat, then took up the issue, summarizing Lynn's findings and discussing potential vulnerabilities in Cisco's IOS that could be used to compromise the networking giant's products.

She said (to Cisco): "Hiding your head in the sand is not going to help; suing researchers is not going to help — Cisco, you are really screwing up here." The audience applause suggested Cisco would need to do a great deal to get back on cordial terms with the security research community, so the news that the company has now patched the flaw — even though it comes a day after the close of DEF CON 13 rather than while it was still running in Las Vegas — should be a good first step.

In its Security Advisory, Cisco says:

Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation.

Cisco has made free software available to address this vulnerability for all affected customers.

About Jeremy Geelan
Jeremy Geelan is Chairman & CEO of the 21st Century Internet Group, Inc. and an Executive Academy Member of the International Academy of Digital Arts & Sciences. Formerly he was President & COO at Cloud Expo, Inc. and Conference Chair of the worldwide Cloud Expo series. He appears regularly at conferences and trade shows, speaking to technology audiences across six continents. You can follow him on twitter: @jg21.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

Cisco Patches Flaw Highlighted in Las Vegas Security Conferences. Security officials at Cisco have released a patch to fix the problem that resulted in 'Ciscogate' T-shirts going on sale last week in Las Vegas, after Michael Lynn - who gave a controversial presentation on Cisco security (or, rather, insecurity) at the Black Hat Security Conference - was the subject of a permanent injunction preventing him from using any Cisco code in his possession for further reverse engineering or security research or presenting the same material at the DEF CON hacker convention which followed Black Hat.

Should a security problem be made public? Should it not? If you were driving a car that really needed to be recalled - wouldn't you want to know about it?

I'm glad for Michael Lynn that this affair ended quickly and not too harshly. Kudos to him for his courage.




ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

Blockchain has shifted from hype to reality across many industries including Financial Services, Sup...
Concerns about security, downtime and latency, budgets, and general unfamiliarity with cloud technol...
In very short order, the term "Blockchain" has lost an incredible amount of meaning. With too many j...
Cloud Storage 2.0 has brought many innovations, including the availability of cloud storage services...
For enterprises to maintain business competitiveness in the digital economy, IT modernization is req...
Cloud-Native thinking and Serverless Computing are now the norm in financial services, manufacturing...
Public clouds dominate IT conversations but the next phase of cloud evolutions are "multi" hybrid cl...
Data center, on-premise, public-cloud, private-cloud, multi-cloud, hybrid-cloud, IoT, AI, edge, SaaS...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web...
Isomorphic Software is the global leader in high-end, web-based business applications. We develop, m...
Most modern computer languages embed a lot of metadata in their application. We show how this goldmi...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with exp...
Every organization is facing their own Digital Transformation as they attempt to stay ahead of the c...
Moving to Azure is the path to digital transformation, but not every journey is effective. Organizat...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with exp...
Intel is an American multinational corporation and technology company headquartered in Santa Clara, ...
Darktrace is the world's leading AI company for cyber security. Created by mathematicians from the U...
Data center, on-premise, public-cloud, private-cloud, multi-cloud, hybrid-cloud, IoT, AI, edge, SaaS...
DevOps has long focused on reinventing the SDLC (e.g. with CI/CD, ARA, pipeline automation etc.), wh...
On-premise or off, you have powerful tools available to maximize the value of your infrastructure an...