July 29, 2005 11:40 PM PDT

More legal threats over Cisco flaws

LAS VEGAS--In an apparent attempt to keep a presentation on Cisco Systems' router flaws off the Web, a lawsuit was threatened against a person who made details of the flaw available online.

Richard Forno, a security specialist and author, said in an e-mail that he received a cease-and-desist letter from lawyers representing Internet Security Systems. He subsequently pulled the presentation from his Infowarrior.org Web site and replaced it with a fax he said came from the law firm of Piper Rudnick Gray Cary, counsel for ISS.

An ISS representative could not immediately confirm late Friday that the company had asked its lawyers to take action against Web sites hosting the presentation. A Cisco representative said that although Cisco is working with ISS in the matter, he was told that ISS was sending out the takedown notices.

The presentation appears to be an early version of the slide-deck used by security researcher Michael Lynn on Wednesday morning at the Black Hat security confab in Las Vegas for his talk: "The Holy Grail: Cisco IOS Shellcode and Remote Execution."

Lynn caused a stir at Black Hat--in defiance of Cisco and ISS--by demonstrating how he could gain control of a Cisco router by exploiting a security flaw. Cisco and ISS had agreed to pull the presentation shortly before the event, but Lynn quit his job at ISS and gave the talk anyway.

Cisco and ISS subsequently went to court seeking a gag order against Lynn and the Black Hat organizers. The parties reached a deal on Thursday, in which Lynn agreed never to repeat the information he gave at Black Hat. He also has to hand over any Cisco source code in his possession.

The presentation was pulled out of the hard copy of the event proceedings. Hours before Black Hat was to start, temporary workers hired by Cisco cut the pages from the book, the Black Hat organizers said Thursday. CD-ROMs were destroyed and replaced. Some attendees, however, were able to obtain the original disks, they said at the event.

Lynn outlined how to run attack code on Cisco's Internetwork Operating System by exploiting a known security flaw in IOS. The software runs on Cisco routers, which make up the infrastructure of the Internet. A widespread attack could badly hurt the Internet and immediate action is needed to protect the critical infrastructure, he said.

The slides are still available for public download on other Web sites, including Cryptome.org. The presentation was also distributed on the popular Full Disclosure security mailing list on Friday.

Black Hat ended on Thursday. At DefCon--the more informal hacker gathering that followed--Michael Lynn was hailed as a hero for disclosing information that may help protect the Internet. DefCon attendees chided Cisco and ISS for thinking only about their pocket books and not about securing their customers.

Jennifer Granick, Lynn's attorney, on Friday said her client is the subject of a federal investigation. She declined to share more details, but did say that it likely will end soon because of the agreement reached between Lynn, ISS and Cisco.

Cisco on Friday released a security advisory detailing the flaw in IOS that was exposed by Lynn and admitting that it could be exploited to gain control over routers.

Cisco claims the potential damage caused by the flaw is limited because the hacker would need to be connected directly to the router, rather than remotely via the Net.

According to Cisco's advisory, older versions of IOS are flawed in the way they process IPv6 packets, Cisco said in its advisory. A specially crafted data packet could let a miscreant gain control over the router, but an attack is possible only from a local network segment and only on systems configured for IPv6, Cisco said.

2 comments

Join the conversation!
Add your comment
Crytome.org
"The slides are still available for public download on other Web sites, including Crytome.org."

Crytome.org is nothing more than a redirect to a generic search engine. I don't understand why you would put that in without checking it out first. It's actually <a class="jive-link-external" href="http://www.cryptome.org" target="_newWindow">http://www.cryptome.org</a>.
Posted by Sugarat (7 comments )
Reply Link Flag
Thanks, we'll fix that
Sorry about that typo. Thanks for pointing it out.
Joris, News.com staff
Posted by JorisEvers (48 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.