Researcher Resigns Over New Cisco Router Flaw

An anonymous reader writes "Michael Lynn, formerly a researcher for Internet Security Systems resigned today rather than conceal his research into serious new flaws in Cisco routers, according to stories at Washingtonpost.com and CRN. Interestingly, Cisco says the the problem is not a security vulnerability, although it chided Lynn for not going through proper vulnerability disclosure channels. Both stories note that Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees." Update: 07/28 12:23 GMT by Z : SimilarityEngine writes "Cisco and ISS are filing a law suit against Michael Lynn and the management of the Black Hat Conference, following Lynn's presentation discussing a vulnerability in IOS."

Re:Cisco has gone downhill recently

[lordkuri]

I must have missed the "master password" thing.

That was from a while back. They had set up a master "backdoor" password in a version of IOS and ended up getting ridiculed for it quite heavily.

Re:I wonder...

[takkaria]

He told them in April, according to BoingBoing [boingboing.net], and they still hadn't fixed the problem totally.

not applicable...

[John Seminal]

you can't get whistleblower protection under these circumstances.

you could get protection if you come out and reveal your employer is a racist who told you he refuses to comply with the law and hire blacks, or fired women who got pregnant rather than give them the benifits the law requires.

i think this guy might go to jail for what he did.

Lynn is in danger of being sued by Cisco for revealing the information, details of which were pulled at the last minute from the materials handed out to Black Hat attendees

of all the places to reveal the information, why give it to black hats? it is like going to a criminal convention and telling them how to turn off security cameras at one bank chain.

if someone used the information he handed out, this guy should be locked up because he will be directly responsible for the damage that is caused.

They Had Been Working on it for *4 Months*!

[Anonymous Coward]

How long should it take?

http://blogs.washingtonpost.com/securityfix/2005/0 7/update_to_cisco.html [washingtonpost.com]

The injunctions filed against him state that ISS and Cisco had been working together on the flaw for the past four months, and that up until earlier this week, a Cisco executive was slated to co-present the findings with Lynn at Black Hat.

Contact for Cisco's Point man on this

[putko]

Our friend Mojgan Khalili is the Cisco employee mentioned in the article, who said the security researcher broke the law -- "It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained."

If you'd like to write to Mojgan and say that you don't like their attitude toward full disclosure, or their attack on the guy who's working hard to make things secure, here is his information.

If nothing else, you could ask him "what law did the guy break, biatch!?!"

Mojgan Khalili
Cisco Systems, Inc.
978-936-1297
mkhalili@cisco.com

Re:not applicable...

[lachlan76]

Umm you do know that Black Hat is a security conference? Mostly attended by security professionals?

Re:Cisco themselves said it was not a new flaw

[wild_berry]

The latest update (here [washingtonpost.com], but expect more updates at http://blogs.washingtonpost.com/securityfix/ [washingtonpost.com]) says that he "is said to have illegally reverse-engineered Cisco source code" (why bother reverse-engineering sources?*) to discover the vulnerability and that Cisco and ISS had four months of work in progress on the issue before this presentation.

He may have misused information from his former job at ISS and be operating outside the bounds of his ISS employee contract allowed him to act.

*: I can see how, if the source codes contain hash numbers which are generated elsewhere and need cracking, that there would be reverse-engineering the source code. If it was recovering the source code from a compiled binary, why not say so? If breaking the DMCA by decompiling an encrypted binary, why not tell us?

Re:Good....

[Kirth]

You're a prick. RTFA. He waited 4 (in words FOUR) months for Cisco to fix this until he finally made it public.

Re:This could have been avoided by using apt-get

[Anonymous Coward]

The point of buying a router is efficiency. Otherwise get a switch and a 386 running BSD or Linux... Having hardware move packets is almost certainly going to be faster (and efficient) then having a general purpose processor do it.

What do you think a Cisco router is? Traditionally, an underpowered general purpose CPU running a somewhat-specialized operating system.

Unless you're talking about the "big boys" (Catalyst switches, Cisco 10000s, etc) switching is not done in hardware.

He TOLD THEM BACK IN APRIL

[Anonymous Coward]

"Some people, however, think that the only thing that'll get companies to take security more seriously is if they are actually made to look really bad, and maybe some of their products actually get hacked."

Except Cisco were told back in April. What they did was fix this particular buffer overflow without tackling the method used to run the code. This was what incensed him so much, they half fixed it, enough to get by with for today.

So yes, they had already had their warning and chosen to ignore it.

Re:I wonder...

[ravind]

Read the follow on to that article [washingtonpost.com]:

"The injunctions filed against him state that ISS and Cisco had been working together on the flaw for the past four months"

Four months qualifies as a "few weeks" in my mind.

Re:I wonder...

[AceJohnny]

I'd be far from surprised to hear Cisco were notified of this 3 months ago, hence Lynn's frustration and his decision to publicly talk about the flaw.

Exactly. IIRC from another article this morning, the flaw was disclosed a while ago, I think in April. He publicly announced it on Wednesday July 27th. That's indeed around 3 months.

Using any buffer overflow or similar flaw, he showed how you could take control of the IOS (the OS on the router?). The IOS is supposed to be abstracted from the hardware and immune to this type of flaw.. this wasn't supposed to be possible before. So this flaw isn't tied to a specific low-level buffer-exploit vulnerabilty, so it's not enough to patch that vulnerabilty, because as soon as another is discovered, the IOS will be vulnerable too.

From other posts, it seems Cisco is usually quite reactive to flaw disclosure. Maybe this flaw was bigger and tougher to fix than the usual, but according to a Wired article [wired.com]. CISCO wanted to keep the flaw secret until next year, when a patched IOS beta would be released.

Lynn found this outrageous.

Outrageous enough to quit his job on the spot, burn himself from the industry's eye, and expose himself to a lawsuit from Cisco. Doesn't that make you think?

Re:Why?

[OldeTimeGeek]

They've been working on a fix for 4 months. How long should they get?

Long enough to make sure the fix works without breaking some other function. Or would you prefer that they release the updates without making sure that something important - like, say, BGP updates - still works? That'd be *real* smart.

I, personally, would prefer that Cisco makes sure that they haven't added new unintended features to IOS before they release new code.

Since...

[jd]

...he started his talk with a discussion on the security of Internet telephony, it would seem reasonable to guess that the exploit is somehow related to such technology.

There are various protocols that are directly used by VoIP - these would include things like SIP, UDP connections for the streamed audio and other fairly mundane stuff. For videoconferencing (a related technology), you'd probably use IGMP to set up the multicast conference.

Of these, IGMPv3 (the newest version of IGMP) is the only one the router would really need to talk. It is also a variable-length structure, which means crappy implementations may be subject to buffer overflow. On a liklihood scale of 0-10, where 0 is impossible and 10 is a certainly, I'd put this at a 2 or 3.

There are also indirect protocols used with VoIP. Most VoIP setups that want any decent quality will use bandwidth management schemes, such as QoS. Cisco routers support a number of QoS functions. Some are local, but IIRC, some will propogate between Cisco routers. It could be there is something exploitable in such a mechanism. On the same scale as before, I'd put this at a 4, as I doubt the QoS code has been as extensively tested by consumers or by crackers.

A third option is that it is only tangental to VoIP. The easiest way to secure VoIP is to set up IPSec tunnels. Could there be a flaw in IPSec that can be exploited? There are two candidate areas here - one would be a flaw that made it possible to spoof legit connections without the Cisco router being able to tell. The second, and more serious for Cisco, would be if there's a bug in IKE/ISAKMP where a malformed and/or oversized packet did Really Nasty Things.

Again, IPSec isn't widely deployed so the bulk of the testing it will have received will have been from Cisco itself and not from users (who are always much more creative in creating bizare network scenarios). Of all of the options I've outlined, it would also be the strongest candidate for a follow-on discussion after talking about the security of Internet Telephony. It is also the most complex, in terms of packet exchanges, putting it at a higher risk of having bugs. Again, on the scale I gave, I'll put this at a 6.

Finally, a lot of router technology (not just Cisco's products) are open to ARP cache poisoning, router table poisoning and the like. In a VoIP scenario, these could be used to redirect a call as a means of wiretapping it without duplicating it. This would fall in the category of VoIP security and router security. Normally, routers are set up so that they can't get routing information from anyone. However, one place I worked, I did see a fairly major ISP fry three of its routers with circular routes.

It is possible, then, that Cisco's handling of router-level traffic is suspect - perhaps there's a buffer overflow somewhere that allows escalated priviledges to another networked device. The problem here is that this IS in an area that has been extensively used and tested in the field by Joe Average Customer. And if Joe Average Customer cam crew up, they will screw up.

Knowledge of such a bug would not be kept under wraps, simply because too many people would be experiencing it first-hand. (Same reason Windows bugs aren't secret for long.) So although this is a well-known problem with networks, I would say that the chances of this being the bug Cisco is fighting tooth-and-claw with is about a 2.

The only way we'll know if I'm even remotely close, though, is if Cisco or the researcher says something definite. Either that, or some Black Hat skilled in the Dark Electronic Arts reverse-engineers the defect from what has been said and publishes their observations.

Re:I wonder...

[saridder]

Not sure if you really are Mike, but your facts are 100% correct. It wasn't a new vulnerability, just a new way to exploit a known vulnerability which has already been patched. Also, if I read correctly, you need to be directly connected to the router to execute the vulnerability; it's a not a remote attack.

Re:Whose rights were violated again? Hmm?

[birdman17]

In terms of violating intellectual property rights,

Last time I looked, there is no such thing as "intellectual property rights". There is copyright law, patent law, and trademark law. These three are commonly grouped as "intellectual property" in the media, but that phrase has no legal standing.

As far as I can tell, no Cisco copyright was violated; no patents were infringed; and no trademarks were fraudulently used. Thus nothing illegal has occurred.

The only remaining possibility in the U.S. is a violation of the DMCA, which Cisco hasn't mentioned. The DMCA is pretty complex, but as far as I can see, the only way it would apply here is if Cisco had encrypted their information and Lynn had decrypted it for commercial purposes. I don't know if compiling source code to object code counts as encryption for the DMCA, and the purposes of the "decryption" are a fair stretch in that context anyway. So I don't see that as being a legal problem here either.

Re:I wonder...

[macdaddy]

Horrible analogy. Cisco had months of advance notice. There didn't have to "bang something out in a hurry." They simply haven't gotten off their asses and fixed the problem. Microsoft is not the only lazy monopoly in town.

Re:I wonder...

[hetairoi]

But it only became "wide open" with the public disclosure of exactly how to exploit it.

He used an already patched exploit to show the vuln. He only showed how easy it would be were you to find a new, unpatched exploit.

Also, from an interview at security focus [securityfocus.com]

"It has been confirmed that bad people are working on this (compromising IOS). The right thing to do here is to make sure that everyone knows that it's vulnerable."

The bad guys already know about this, Lynn believes it's time the rest of us found out.

It's not a law suit...

[trygstad]

If you read the article you can plainly see that ISS and Cisco have had a restraining order imposed; this is not a "law suit", but it certainly does not preclude them from doing that as well. Disclaimer: I am not a lawyer nor do I play one on TV nor did I stay in a Holiday Inn Select last night.

Re:I wonder...

[bradkittenbrink]

Please try to stay with the group.

Don't be an ass, turnstyle had a legitimate point. This used to be a problem that a "small number" of black hats could exploit, now it's a problem that a million script kiddies know about. Now don't get me wrong, I'm not trying to claim that cisco was fixing the issue promptly enough, but dissmissing people who point out the problems with full disclosure is just plain irresponsible.

Much ado about nothing?

[tcampb01]

The rationale behind why public disclosure of a security flaw (knowing that the 'bad guys' will hear about it too) is based on the idea that (a) customers have a right to know that they are at risk and also need to apply a fix as soon as it's available, and (b) companies should face pressure (even extreme pressure) to prioritize the fixes for these bugs.

It's pretty much accepted across the industry that the disclosure that there is a vulnerability is a "good thing". Indiscriminately revealing the gory details about how to exploit the vulnerability is a "bad thing".

After reading all the articles, it sounds like the exploit was discovered months ago, the patch has been available for months, and though Mr. Lynn demonstrated that the exploit is real (usually required to establish credibility) he did not expose the gory details necessary to allow someone to exploit the attack on their own.

So what's the big deal?

I'm particularly annoyed with Cisco's comment about Mr. Lynn having "illegally" obtained his information. Frankly, it's in the best interest of the public, the Internet, and the security world that security researches will decompile code to search for exploits. The security indsutry accepts that "security through obscurity" is a very bad idea. Vetted code is deemed secure because the gory details have been explosed to a wide audience and *still* no exploits could be found -- NOT because nobody was allowed to know how it all worked.

Re:Contact for Cisco's Point man on this

[Anonymous Coward]

Why not go one step forward:

Khalili, Mojgan
781-788-9222 (Anywho.com listing)

http://maps.google.com/maps?q=13+Highland+St,+WEST ON,+MA+02493&spn=0.004247,0.008623&t=h&hl=en [google.com]

Link to location of residence.

Got to love public information...

Re:I wonder...

[Intron]

Great. The problem is a flaw in BGP that affects every router that implements it. It allows certain messages to cause a DOS attack on certain IP addresses. Tell me how long it will take to fix. By the way, if you're wrong on the time estimate, everyone is going to jump all over you. And if the time period is too long, everyone is going to jump all over you. Also, you can't make everyone upgrade at the same time, so your solution has to be backwards and forwards compatible. Well? I'm waiting.

what it was

[Anonymous Coward]

my, so much text.

http://www.angelfire.com/ego2/hellomother/BH_US_05 -Lynn-decrypted.pdf [anonymouse.org]">here's an unencrypted copy of the PDF for the presentation.

Cisco settles!

[qcomp]

ZDnet reports [zdnet.com] that David Lynn and Cisco have agreed to a legal settlement. Lynn doesnt't talk about the matter at Blackhat or Defcon and returns all related material to Cisco. I suppose Cisco drops its charges against him, though that's not mentioned.
I'm glad for Michael Lynn that this affair ended quickly and not too harshly. Kudos to him for his courage.