Flaw researcher settles dispute with Cisco

LAS VEGAS--The dispute over a presentation on hacking Cisco Systems' router software at the Black Hat security conference culminated in a legal settlement Thursday.

Michael Lynn, a former Internet Security Systems researcher, and the Black Hat organizers agreed to a permanent injunction barring them from further discussing the presentation Lynn gave Wednesday. The presentation showed how attackers could take over Cisco routers, a problem that Lynn said could bring the Internet to its knees.

The injunction also requires Lynn to return any materials and disassembled code related to Cisco, according to a copy of the injunction, which was filed in U.S. District Court for the District of Northern California. The injunction was agreed on by attorneys for Lynn, Black Hat, ISS and Cisco.

Lynn is also forbidden to make any further presentations at the Black Hat conference, which ends Thursday, or the Defcon event that follows it. Additionally, Lynn and Black Hat have agreed never to disseminate a video made of Lynn's presentation and to deliver to Cisco any video recording made of Lynn.

In the first news conference of his life, Lynn on Thursday said that despite all the legal wranglings he faced during the previous day and a half, he made the proper choice in demonstrating an attack on Cisco's router software.

"I think I did the right thing. It was pretty scary, but the real important thing was there was the potential of serious problem," Lynn said. "I did not think the nation's interest was served by waiting another year, when a router worm would be a serious threat."

In his presentation Wednesday, Lynn outlined how to attack Cisco's Internetwork Operating System to gain control over the router running IOS. Cisco routers make up the infrastructure of the Internet. A widespread attack could badly hurt the Internet, according to experts attending Black Hat.

It is possible to actually destroy a router with the approach, Lynn said. Multiplied, that attack could seriously disrupt or shut down parts of the Internet or a corporate network, he said.

"It is one of those cases where software can destroy hardware," Lynn said.

IOS had been perceived as impervious to such attacks, which is why a wake-up call was needed, Lynn said.

"Nobody really considered until Wednesday that this was possible," he said. The theft of Cisco's IOS source code in May last year also increases the chances that criminal hackers are working on exploits, he said.

Aiding in attacks
Lynn acknowledged that his talk may actually help criminals in finding ways to attack Cisco routers.

"I gave maybe 5 percent of the information required to actually do what I did," he said. "The first guy who did it is sort of, in some way, responsible for all the other people who do it."

Several Black Hat attendees suggested that with the information provided by Lynn, skilled security researchers would have little trouble reproducing his attack.

What's important now is that Cisco fixes the underlying problem in IOS and prevents the problem in future versions of the software, Lynn said.

Lynn quit his job as a researcher at ISS to deliver the presentation after ISS had decided to pull the session. Notes on the vulnerability and the talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," were removed from the conference proceedings by Cisco, leaving a gap in the thick book.

ISS wanted to cancel the session because the research was premature and would be presented at a later security conference, an ISS representative said Wednesday.

After the talk, Lynn retained attorney Jennifer Granick in the face of legal action by former employer ISS and Cisco. Granick is the executive director of the Stanford Law School Center for Internet and Society.

"Without her help, I would be in some really serious trouble," Lynn said Thursday.

Cisco said in a statement Thursday that it is "gratified" by the agreed injunction. It prevents further disclosure of information that could help create an attack on critical network infrastructure, the San Jose, Calif., networking giant added.

"It is Cisco's opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet," Cisco said.

The company plans to release a security advisory on the issue within the next day, it said.

The actual flaw Lynn exploited for his attack was fixed by Cisco in recent releases of IOS. The latest versions are not vulnerable, Lynn and Cisco said. However, Lynn cautioned in his talk Wednesday that new IOS flaws could be exploited for a similar wide-ranging attack.

[Far Star]

*cough* whitewash *cough*

I'm suprised that C|Net can even put the word 'settlement' in this report with a striaght face ... oh wait, yes I can.

This was not a 'settlement' but a beatdown. Cisco dosen't want anyone to know the dangers and will use ALL of it's strength (which suprising to me is actually considerable) and legal power to bury them. "Cisco plans to release a security advisory on the issue within the next day ..." yeah right. Not likely to actually happen, "plans" can change and often do once the dust settles and media lap dogs (like C|Net) go home. It's just more of the same corporate whitewashing.

Good luck on finding a job Lynn. We appriciate your bravery in facing off with a corprate giant to warn all of the threat that is there. To bad it cost you so much but you have our thanks.

Peace.

[cforsyth]

Who Decides on Our Behalf

The problem here is that Cisco used their legal muscle to decides what's in the "best interests of protecting the Internet". Are they really the best ones to make that call? Seems to me they have a pretty obvious vested interest. I have more faith in neutral security organizations to make that call.

[newerawisp]

CISCO 'S HIGH HANDED ACTION MUST BE DEPLORED

CISCO should have been appologizing the world for the defective products it's unleashing on the world. Instead it is hiring attorneys to sue the people who talk about the defects in its products. Pernanent injunction or no permanent injunction the case emphasizes the need for abandoning the present method of surfing the net that gives too much powers to the owners of the personal computers that are used to surf the net. Not a day passes by when a new defect or a new flaw is discovered. And then the Companies would not allow their employees to talk about the security flaws. Cisco says that the flaw has been fixed. Has it really been fixed? Who will talk about it if it's not really fixed. There are the courts that will injunct a person from talking about it. Cisco should not be allowed to get away. Every reader of these comments should write a letter to Cisco CEO John T. Chambers at Cisco headquarters at 300 East Tasman Drive, San Jose CA 95134-1706

I believe the Cisco matter shows the need to develop a new server based Browser that incorporates multitasking and nanotechnology as discussed at http://www.newerawisp.blogspot.com/ which will eliminate idle processor time besides putting Hackers out of business. The new technology puts the Hackers out of business by preventing the servers from sending any documents to the clients.

[tdallendoerfer]

Cisco

Cisco knew b4 about their flaws in their software. it is a shame they let it come so far, that someone had to tell them about it. And then they give him some hell fire for saving kinda their company. The losses, if a real attack would have ever happend, would have made cisco bankrupt. They should act. make him head of security in my opinion, to improve their routers.

When i hear stupid actions like that from a big company like cisco, i just wish the worst for them. they really should go bankrupt now. cause they knew b4.