Router flaw sparks battle

Cisco and critics spar over what constitutes responsible disclosure.

LAS VEGAS - Researcher Michael Lynn quit his job at Internet Security Systems last week, then defied ISS and Cisco by revealing that unpatched Cisco routers can be hacked by a buffer-overflow exploit. Until then, corporate network managers were largely unaware of the risk.

Cisco and ISS had known for months. And it's feared that hackers knew, too, as Chinese bulletin boards are said to have contained at least some knowledge of the vulnerability.

The confluence of events - all coming to a head last week at the Black Hat security conference - has reignited the long-smoldering debate over what constitutes responsible disclosure of security risks. Cisco insists that Lynn acted both irresponsibly and illegally, and obtained a court order barring him and show organizers from further disclosures.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

LAS VEGAS - Researcher Michael Lynn quit his job at Internet Security Systems last week, then defied ISS and Cisco by revealing that unpatched Cisco routers can be hacked by a buffer-overflow exploit. Until then, corporate network managers were largely unaware of the risk.

Cisco and ISS had known for months. And it's feared that hackers knew, too, as Chinese bulletin boards are said to have contained at least some knowledge of the vulnerability.

The confluence of events - all coming to a head last week at the Black Hat security conference - has reignited the long-smoldering debate over what constitutes responsible disclosure of security risks. Cisco insists that Lynn acted both irresponsibly and illegally, and obtained a court order barring him and show organizers from further disclosures.

Gibbs says we should applaud Lynn
Discuss the case in our Lynn forum
Audio: Network World Test Alliance member Rodney Thayer on the affair
Also from Black Hat: Event highlights RFID, VoIP security

"The actions against Mr. Lynn and Black Hat were not based on the fact that the flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure," Cisco said in a statement, adding what Lynn did "was not in the best interest of protecting the Internet."

Lynn maintains that he acted properly, a position that garnered backing from security experts and conference attendees.

"I think I did the right thing," he says. "I didn't disclose any vulnerabilities that were new. The important thing is that vulnerabilities can be seriously exploited." The fact that Cisco source code was stolen last year makes the chances of an exploit more likely and that heightened risk demanded early disclosure, Lynn says.

That sentiment was widely held last week.

"Cisco should have told us earlier about this because it clearly makes patching a high priority that has to be done," said Joseph Klein, senior security analyst at Honeywell Technology Solutions.

The shellcode flaw and Cisco's reaction to it are "definitely a source of concern," said Joe Moore, director of IT for the state of Arizona, auditor general's office. "There is a lot hanging on what kind of equipment you have facing the public network. ... If you have a flaw brought to light, I don't think Cisco should have a problem sharing that flaw, especially if it's already been taken care of, like Cisco says it has... as opposed to trying to hush up the person who exposed the flaw."

John Parsons, manager of global telecommunications and networks at Kodak, says the company's router engineers keep its Cisco equipment current with updated patches. Parsons expressed some sympathy for Cisco's position in going after Lynn. "Maybe Cisco wanted to make sure they had the proper patches or workarounds ready for this, which I think is reasonable," he says.

On Friday, Cisco was to have posted a security advisory related to the issue of remote exploits of Cisco routers.

ISS and Cisco had planned to have Lynn talk about this new type of potentially devastating buffer-overflow attack against unpatched routers, but canceled at the last minute, saying more research was needed.

However, Lynn broke ranks, defiantly speaking out on the subject for what he says were reasons of national security.

He was promptly sued by ISS and Cisco, which claimed his actions were illegal. Lynn acknowledged in a settlement reached Thursday that he had broken confidentiality agreements and by week's end he and his lawyer were delivering sensitive materials and software related to the router exploit into the hands of Cisco lawyers.