Cisco cover up

J_Oquendo3 · July 27, 2005, 8:48pm

Complete PR disaster? Maybe they're still working on the fix and didn't
want those on the blackhat scene to have a glimpse of how they intended on
fixing things. I wonder if this has exploit_foo_bar has anything to do
with their code being stolen earlier this year was it, or late last year.
Maybe for the geeks in you, it may be a PR disaster, but I doubt their
stock price will come down much. Oddly I wonder if those in gov are
watching closely to those who are running around shorting Cisco stock. Or
should that be: "sh0rt1ng c1sc0 st0ck!@$"

James_Baldwin · July 27, 2005, 8:56pm

Cisco had initially approved this talk. My understanding is that this has been fixed and no current IOS images were vulnerable to the techniques he was describing. ISS, Lynn, and Cisco had been working together for months on this issue before the talk.

This had _nothing_ to do with the source code that was stolen. I have dealt with Lynn professionally on many occasions and he has shown himself to have more than a fair share of integrity. It is uncalled for to take to disparate events and place them together in a way which smudges the name of a respected researcher.

Stephen_J_Wilcox1 · July 28, 2005, 2:43pm

Just because they fixed the bugs doesnt mean there arent a large number of
publically accessible routers out there still running affected versions..

I suspect there was something slightly more than just giving information about
the vulnerabilities.. the inference is that they demonstrated executing
arbitrary code from buffer overflows.. perhaps for example they developed ways
of opening up privilege vty which I dont think has been shown before

Steve

Mark_Owen · July 28, 2005, 5:39pm

Cisco had the exploit fixed in April and no longer offers the
exploitable OS for download on their site.

Mikael_Abrahamsson · July 28, 2005, 5:49pm

And the list of vulnerable IOS versions is where....?

I don't care exactly what the exploit is but I want to know the risks involved and what versions are vulnerable. Any workarounds available would be nice as well, the fewer routers potentially needing immediate upgrade to fixed IOS the better.

Chris_Adams3 · July 28, 2005, 6:09pm

Once upon a time, Mark Owen <mr.markowen@gmail.com> said:

Cisco had the exploit fixed in April and no longer offers the
exploitable OS for download on their site.

But which versions are vulnerable? I don't just go upgrade my IOS at
random, hoping to fix unknown bugs (while introducing additional unknown
bugs). When I've got an apparently stable version for my setup, I leave
it alone.

James_Edwards · July 28, 2005, 6:26pm

And the list of vulnerable IOS versions is where....?

I am not sure if this is the correct doc, but it is recent (April/May 05)
and does indicate
what IOS versions are being dropped and what IOS one should migrate to.

http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/prod_bulletin0900aecd80281c0e.html

James H. Edwards
Routing and Security Administrator
At the Santa Fe Office: Internet at Cyber Mesa
jamesh@cybermesa.com noc@cybermesa.com
http://www.cybermesa.com/ContactCM
(505) 795-7101

Stephen_Sprunk3 · July 28, 2005, 6:43pm

Thus spake "Mikael Abrahamsson" <swmike@swm.pp.se>

Cisco had the exploit fixed in April and no longer offers the exploitable OS for download on their site.

And the list of vulnerable IOS versions is where....?

I don't care exactly what the exploit is but I want to know the risks involved and what versions are vulnerable. Any workarounds available
would be nice as well, the fewer routers potentially needing immediate
upgrade to fixed IOS the better.

The short answer is, if an image is still on CCO, it's not vulnerable. That applies to both this problem and any other security problems Cisco has patched but not published notices for yet.

S

Stephen Sprunk "Those people who think they know everything
CCIE #3723 are a great annoyance to those of us who do."
K5SSS --Isaac Asimov

Robert_Crowe · July 28, 2005, 6:58pm

This has nothing to do with the recent events.

- RC

James_Edwards · July 28, 2005, 9:18pm

Robert,

So if I follow this doc and move to the IOS indicated will that IOS be
free of this bug ?

j

Bandy_Rush1 · July 29, 2005, 12:08am

I suspect there was something slightly more than just giving information
about the vulnerabilities.. the inference is that they demonstrated
executing arbitrary code from buffer overflows.. perhaps for example they
developed ways of opening up privilege vty which I dont think has been
shown before

we can suspect a lot of things. but, as long as information is
suppressed, all we can do is suspect and be victims of those who
have the time to develop exploits. this is why open disclosure
is soooo important. security through obscurity is a well-known
failure mode.

randy