Heavy fallout continues on several fronts from a security researcher's recent disclosure that unpatched Cisco routers can be subverted by buffer-overflow attacks and shell-code exploits .

Among the developments last week: Cisco continually revised its security bulletin , adding details as to how versions of unpatched IOS software could be undermined by a "specifically crafted IPv6 packet." Sources at Cisco say testing will continue indefinitely and could include findings related to more than simply IPv6-related exploits.

The researcher who touched off the uproar, Michael Lynn, says he is now the subject of inquiries by FBI agents, and he continues to defend the propriety of his actions.

The episode rekindled debate about "responsible disclosure," the notion that information about major security problems should be made public in a way that brings minimal risk to customers.

According to Lynn and other experts, what Lynn described and demonstrated at the Black Hat Conference on July 27 could potentially lead to manipulation of Cisco router tables, denial-of-service attacks and access to confidential data.

Through a security advisory, Cisco has indicated that the way some unpatched IOS routers handle IPv6, which has seen little adoption in North America outside of research labs, is a conduit for the type of buffer-overflow exploit revealed by Lynn. But last week, a Cisco spokesman acknowledged the exploit may be possible in other ways. "There's ongoing information gathering and more testing," says Cisco spokesman John Noh.

Cisco last week also released a new patch for Cisco IOS-XR, its new carrier-focused router operating system, which was introduced last year for its CRS-1 Internet core router, and ported to the 12000 series of carrier routers this year.

Experts and users say the hole in IOS appears not to be an immediate concern based on what is public knowledge at the moment, since patches are available. But what concerns some is that Lynn's exploit techniques take router hacking to a new level, which eventually could have security implications for Cisco customers.

"Strategically, this is a very serious issue for Cisco," says David Lawson, vice president and director of global security practice at Greenwich Technology Partners, a New York integration and consulting firm that specializes in Cisco technology. "It proves something we've been saying in the security field for a long time, that a router is breakable."

Many IOS exploits in the past would simply cause a router to crash or reload itself, he adds.

"The big key to what [Lynn] did was to demonstrate a way to fool [the router] into thinking it was already crashing, so that it didn't initiate the shutdown sequence. If you can do that, that opens up the ability to open up other exploits. Now you can actually get code running that does god-only-knows what."

Responsible disclosure?

As for the question of responsible disclosure and whether Lynn represented that ideal or not, opinions continue to differ.

"I personally wouldn't have done it the way he did it," says Justin Bingham, CTO at security vendor Intrusic, referring to Lynn's action in defying Cisco and Internet Security Systems (ISS) - his employer until he quit just hours before giving his demonstration. "I like my career being a security researcher and a lot of that is based on trust with your customers and other companies."

Lynn, who has acknowledged breaking non-disclosure agreements in speaking out about the router exploit, says he took the step out of concern that withholding the knowledge would help would-be attackers and even posed a national security concern.

"The vulnerability which I demonstrated-but didn't give any information about-was properly disclosed to Cisco months in advance," Lynn says. "They had patches publicly available for months before I went on stage.

"That said, the disclosure debate is one that needs to happen. The idea of full disclosure is just about as dangerous as no disclosure at all. As with most things, we have to find the proper balance."

While Lynn has settled one lawsuit with Cisco and ISS, agreeing not to disclose anything he knows about the exploit, his problems don't seem to be over. The FBI is investigating him and interviewing friends and roommates, he says.

ISS, which declined to discuss the Lynn matter last week, has sought to stop the spread of the electronic version of the presentation slides that Lynn showed at Black Hat-many of which are labeled with the ISS logo-by threatening legal action against Web sites posting them.

ISS has benefited from its research by including preemptive protections for the vulnerabilities in its Proventia IPS product line and Internet Scanner products. ISS had been planning to make a big splash at Black Hat by unveiling the Cisco router flaw, but backed down when Cisco balked. But Lynn, after quitting his job at ISS, spoke out anyway.