Thursday, July 28, 2005

Free Michael Lynn

Ex-ISS X-Force researcher Mike Lynn is in a world of hurt right now. Yesterday he delivered a briefing at Black Hat on Cisco security flaws. Lynn decided to resign from ISS instead of complying with the wishes of his employer and Cisco to keep his discoveries quiet. For a lot more detail, I strongly recommend reading the Brian Krebs Security Fix blog hosted by the Washington Post. Krebs is in Las Vegas and has spoken with Lynn, who "has been served with a temporary restraining order designed to prevent him from discussing any more details about the flaw...[and] is sheduled to appear in federal district court at 8:00 a.m. Thursday." (!) I think it's time to start a Free Michael Lynn campaign to pay for his legal bills.

Update: Within this Slashdot thread is a comment by someone claiming to be Mike Lynn. Here is Cisco's statement. Also, SecurityFocus has a good article with this statement:

"Lynn outlined a way to take control of an IOS-based router, using a buffer overflow or a heap overflow, two types of memory vulnerabilities. He demonstrated the attack using a vulnerability that Cisco fixed in April. While that flaw is patched, he stressed that the attack can be used with any serious buffer overrun or heap overflow, adding that running code on a router is a serious threat."

What is the problem, then? Maybe this?

"During his presentation, Lynn outlined an eight step process using any known, but unpatched flaw, to compromise a Cisco IOS-based router. While he did not publish any vulnerabilities, Lynn said that finding new flaws would not be hard."

Good grief. The outcome of this situation could be very important for the future of security research.

Update 2: Here is the relevant text on reverse engineering from the Digital Millennium Copyright Act.

10 comments:

Anonymous said...

"Free" is a misleading verb. It is not like he is being incarcerated -- should the injunction be granted, he is simply being told to shut up. That, IMNSHO, would be very bad, but not nearly as bad as getting tossed in jail.

Richard Bejtlich said...

Yes, but "Remove the Restraining Order on Michael Lynn" is a lousy rallying cry. :)

Anonymous said...

ISS and Cisco were working together, and presumably had an NDA to get this fixed, allowing customers to be notified privately. The heat appears to be Michael violated the NDA, not so much the flaw itself.

I completely support full disclosure, but in return I respect the well-being of all parties involved to get it fixed.
(If this were say, a nuclear weapon launch controller, would you still advocate going public w/ the info?).

chuck said...

It will be interesting to see what happens. Definitely an interesting story nonetheless..

Chuck

J_Kenpo said...

Don't like what Cisco is doing? You dont agree with their attempt to shut out full disclosure? Quit buying their products. While I feel for Michael Lynn, if he signed a NDA, then he is in breach with ISS and at fault, as sad as it is.

My 2 cents...

Justin Mason said...

btw, this article -- http://netsec.blogspot.com/2005_07_24_netsec_archive.html#112252461636474700 -- notes 'he discovered clues that there was an issue being exploited when reading translated Chinese hacker sites that alluded to the issue.'

ouch.

Richard Bejtlich said...

Justin,

You cite a great example of intruders already being aware of a vulnerability, while the rest of us get rooted.

Warguppy said...

Abaddon absolutely did the right thing. Cisco's position that this is fixed is absolutely incorrect. What they have done is made sure that new systems are not vulnerable from the XML vector for any new equipment. They have severely underplayed the potential for disaster here and made no active effort at all to strongly encourage their federal customers fix this immediately. Shame on them for letting it get this far. I am not sure what the basis of ISS's claim that they have a fix for this is based on. Are they going to put a Proventia box in front of the router? Shame on ISS for letting a vendor sweep this under. While Cisco has a big problem with its gear and IOS, ISS has a far bigger problem in that the trust level they have developed over the years is absolutely gone. Matters of national security cannot be driven by corporate greed. It was bad enough when Enron destroyed the peoples ability to retire. Mike has made the single strongest case for open source and full disclosure. I too have known Mike for years and I am immensely proud of him. People are not harping on the real problem, that being that once virtual processes are an integral part of IOS this will be easy to script and worm.

Anonymous said...

Quoting from this article: "I think it's funny because you had a working exploit in 2001, and nearly 4 years later someone (Michael Lynn) got something similar. But thanks to someone (Cisco) that chose to sue him, there was a big buzz, and all the people suddenly discovered that, "wow, IOS is exploitable, yes, you can get a shell there too". Now a lot of people want to be the first to reach the goal: make public some working shellcode." A good reading for any Cisco devices owner/0wner 8-)

Anonymous said...
This comment has been removed by a blog administrator.