ZDNet UK

• CNET NETWORKS UK BUSINESS SITES:
• atlarge.com
• BNET UK
• silicon.com
• SmartPlanet.com
• ZDNet.co.uk

Cisco reaches deal with flaw researcher

• Tags:
• Cisco,
• Michael Lynn,
• Router

Joris Evers CNET News.com

Published: 29 Jul 2005 07:40 BST

• 
• 
• 
• 
• 

The dispute over a presentation on hacking Cisco Systems' router software at the Black Hat security conference culminated in a legal settlement on Thursday.

Michael Lynn, a former ISS researcher, and the Black Hat organisers agreed to a permanent injunction barring them from further discussing the presentation Lynn gave on Wednesday. The presentation showed how attackers could take over Cisco routers, a problem that Lynn said could bring the Internet to its knees.

The injunction also requires Lynn to return any materials and disassembled code related to Cisco, according to a copy of the injunction, which was filed in US District Court for the District of Northern California. The injunction was agreed on by attorneys for Lynn, Black Hat, ISS and Cisco.

Lynn is also forbidden to make any further presentations at the Black Hat event, which ended on Thursday, or the following Defcon event. Additionally, Lynn and Black Hat have agreed never to disseminate a video made of Lynn's presentation and to deliver to Cisco any video recording made of Lynn.

In his first news conference, Lynn on Thursday said that despite all the legal wrangling he faced during the past day and a half, demonstrating an attack on Cisco's router software was the right thing to do.

"I think I did the right thing. It was pretty scary, but the real important thing was there was the potential of serious problem," Lynn said. "I did not think the nation's interest was served by waiting another year when a router worm would be a serious threat."

In his presentation on Wednesday, Lynn outlined how to attack Cisco's Internetwork Operating System to gain control over the router running IOS. Cisco routers make up much of the infrastructure of the Internet. A widespread attack could badly hurt the Internet, according to experts attending Black Hat.

It is possible to actually destroy a router, which could cripple or shut down parts of the Internet or a corporate network. "It is one of those cases where software can destroy hardware, Lynn said.

IOS had been perceived to be impervious to such attacks, which is why a wake-up call was needed, Lynn said.

"Nobody really considered until Wednesday that this was possible," he said. The theft of Cisco's IOS source code also increases the chances that criminal hackers are working on exploits, he said.

Lynn acknowledged that his talk may actually help criminals in finding ways to attack Cisco routers.

"I gave maybe 5 percent of the information required to actually do what I did," he said. "The first guy who did it is sort of in some way responsible for all the other people who do it."

Several Black Hat attendees suggested that with the information provided by Lynn, skilled security researchers would have little trouble reproducing his attack.

What's important now is that Cisco fixes the underlying problem in IOS and prevents the problem in future versions of the software, Lynn said.

Lynn quit his job as a researcher at ISS to deliver the presentation after ISS had decided to pull the session. Notes on the vulnerability and the talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," were removed from the conference proceedings by Cisco, leaving a gap in the thick book.

ISS wanted to cancel the session because the research was premature and would be presented at a later security conference, an ISS representative said Wednesday.

After the talk, Lynn retained attorney Jennifer Granick in the face of legal action by his former employer ISS and Cisco. Granick is the executive director of the Stanford Law School Centre for Internet and Society.

"Without her help I would be in some really serious trouble," Lynn said on Thursday.

Cisco said in a statement on Thursday that it is "gratified" by the agreed injunction. It prevents further discloser of information that could help create an attack on critical network infrastructure, the networking giant said in a statement.

"It is Cisco's opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet," Cisco said.

Cisco plans to release a security advisory on the issue within the next day, it said.

The actual flaw Lynn exploited for his attack was fixed by Cisco in recent releases of IOS. Users of the latest versions are not vulnerable, Lynn and Cisco said. However, Lynn cautioned in his talk on Wednesday that new IOS flaws could be exploited for similar wide-ranging attack.

• 
• 
• 
• 

• Share this article:
• 
• 
• 
• 
• 

• Most Recent
• Most Popular
• Most Discussed