Router flaw sparks battle

Cisco and critics spar over what constitutes responsible disclosure.

LAS VEGAS - Researcher Michael Lynn quit his job at Internet Security Systems last week, then defied ISS and Cisco by revealing that unpatched Cisco routers can be hacked by a buffer-overflow exploit. Until then, corporate network managers were largely unaware of the risk.

Cisco and ISS had known for months. And it's feared that hackers knew, too, as Chinese bulletin boards are said to have contained at least some knowledge of the vulnerability.

The confluence of events - all coming to a head last week at the Black Hat security conference - has reignited the long-smoldering debate over what constitutes responsible disclosure of security risks. Cisco insists that Lynn acted both irresponsibly and illegally, and obtained a court order barring him and show organizers from further disclosures.

Gibbs says we should applaud LynnNetwork World Test Alliance member Rodney Thayer on the affairEvent highlights RFID, VoIP security

Discuss the case in our Lynn forum

Audio:

Also from Black Hat:

Lynn maintains that he acted properly, a position that garnered backing from security experts and conference attendees.

"I think I did the right thing," he says. "I didn't disclose any vulnerabilities that were new. The important thing is that vulnerabilities can be seriously exploited." The fact that Cisco source code was stolen last year makes the chances of an exploit more likely and that heightened risk demanded early disclosure, Lynn says.

That sentiment was widely held last week.

"Cisco should have told us earlier about this because it clearly makes patching a high priority that has to be done," said Joseph Klein, senior security analyst at Honeywell Technology Solutions.

The shellcode flaw and Cisco's reaction to it are "definitely a source of concern," said Joe Moore, director of IT for the state of Arizona, auditor general's office. "There is a lot hanging on what kind of equipment you have facing the public network. ... If you have a flaw brought to light, I don't think Cisco should have a problem sharing that flaw, especially if it's already been taken care of, like Cisco says it has... as opposed to trying to hush up the person who exposed the flaw."

John Parsons, manager of global telecommunications and networks at Kodak, says the company's router engineers keep its Cisco equipment current with updated patches. Parsons expressed some sympathy for Cisco's position in going after Lynn. "Maybe Cisco wanted to make sure they had the proper patches or workarounds ready for this, which I think is reasonable," he says.

On Friday, Cisco was to have posted a security advisory related to the issue of remote exploits of Cisco routers.

ISS and Cisco had planned to have Lynn talk about this new type of potentially devastating buffer-overflow attack against unpatched routers, but canceled at the last minute, saying more research was needed.

However, Lynn broke ranks, defiantly speaking out on the subject for what he says were reasons of national security.

He was promptly sued by ISS and Cisco, which claimed his actions were illegal. Lynn acknowledged in a settlement reached Thursday that he had broken confidentiality agreements and by week's end he and his lawyer were delivering sensitive materials and software related to the router exploit into the hands of Cisco lawyers.

In addition to Lynn, Cisco sued the Black Hat conference and launched a bizarre late-night purging campaign that had a team from Cisco physically cutting 15 pages of sensitive information about the exploit out of the conference proceedings and destroying conference CDs.

Talk of the confrontation dominated the conference (read columnist Mark Gibbs' take on Lynn's outburst). Security researchers expressed concern that what happened to Lynn will result in chilling security research that sometimes simply involves sharing ideas.

Johnny Long, penetration tests at Computer Science Corp., presented a live demonstration on how to use advanced search capabilities in Google as a hacking tool to uncover sensitive information inside corporate networks. He noted that Google is taking such information to heart by quietly beginning to block some search attempts, which he called a step in the right direction.

"Actually, I'm not being sued by Google," Long joked, but said the furor over the Cisco router exploit is leaving a huge impression on researchers who might become more cautious about discussing problems they uncover.

In one of its legal filings against Lynn last week, Cisco claimed the method of reverse engineering that he used to uncover the buffer-overflow exploit is illegal - a contention that drew skepticism from some experts.

"As long as reverse engineering is for research purposes, and no one is trying to make money off it, it's not illegal," said Marc Maiffrett, co-founder and chief hacking officer at eEye Digital Security, a vulnerability and research and security vendor.

Legal issues aside, Cisco's moves against Lynn send the wrong message to the security community, Maiffrett said. "Security researchers aren't going to make the stuff public if Cisco is just going to come back at them with legal action."

Frank Dzubeck, president of Communications Network Architects, said he doubts that an attack based on an IOS flaw would cause widespread damage to the Internet because products from Cisco's rival Juniper have a large presence in carrier backbone networks.

But vendors do need to be watched by other vendors, he added.

"It's a good thing to have watchdogs in this business and I think Cisco has an issue with being watched," Dzubeck said. "Microsoft has gotten used to this. They actually rely on other people to tell them what it's doing wrong, and they're confident in those people. In Cisco's case, they're still saying that we know what we're doing better than anyone else because we created it and we own it."

Wild week at security conference

Learn more about this topic

Cisco nixes conference session on hacking IOS router code

07/27/05

Furor over Cisco IOS router exploit erupts at Black Hat

07/28/05

Researcher at center of Cisco router-exploit controversy speaks out

07/28/05

Cisco, ISS, Michael Lynn and Black Hat sign legal accord

07/28/05

Forum: Who's right?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2005 IDG Communications, Inc.