Friday, July 29, 2005

Mike Lynn Settles

It appears Black Hat presenter Mike Lynn has avoided personal disaster, acccording to Brian Krebs:

"Under the terms of a permanent injunction signed by a federal judge this afternoon, Lynn will be forever barred from discussing the details about his research into the vulnerabilities he claimed to have discovered in the widely used Cisco hardware."

I recommend reading the rest of Brian Krebs' story for details.

I saw this NANOG post refer to a FrSIRT advisory, but the relevant FrSIRT page has been removed (though not without trace).

In case anyone has forgotten, I remember attending the presentation by FX of Phenoelit.de at Black Hat USA 2003 involving heap-based overflows in Cisco IOS. It was an extension of work he presented at Black Hat USA 2002. His Ultimaratio page has more info, and he published a Phrack article and an exploit for Cisco IOS 11.x.

Maybe Mike Lynn's mistake was working for a security company (ISS) and with a vendor (Cisco) and being a US citizen? Nothing bad happened to FX before, during, of after his presentation. Was FX's vulnerabilities considered too old to be a problem, but Mike's too recent?

I've been poking around at the Cisco Web site, and I noticed that in April and May they began a massive removal of old IOS images. This product bulletin 2863, Cisco IOS Software Center Update: Effective April 2005 (.pdf) outlines the process, and this Cisco IOS Software Center Update Q&A (.pdf) answers questions on the clean-up. While this could have been planned well before Mike Lynn notified Cisco of his discoveries, it's also possible Cisco took steps to remove vulnerable IOS images because of his findings. Either way, removing old vulnerable images is an excellent idea.

Update: I found a few interesting NANOG posts by James Baldwin, who is in Las Vegas and spoke to Mike Lynn. According to Mr. Baldwin, "Lynn did not have NDA access to the Cisco source." Lynn "developed this information based on publicly available IOS images. There were no illegal acts committed in gaining this information nor was any proprietary information provided for its development." Cisco had initially approved this talk. My [Baldwin's] understanding is that this has been fixed and no current IOS images were vulnerable to the techniques he was describing. ISS, Lynn, and Cisco had been working together for months on this issue before the talk."

Finally, There was no source or proof of concept code released and duplicating the information would only provide you a method to increase the severity of other potential exploits. It does not create any new exploits. Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it."

I guess that explains the IOS clean-up. Lynn might have shown a way to develop exploits based on analyzing differences in IOS images. According to Cisco's End User License Agreement:

"Customer shall have no right, and Customer specifically agrees not to:...

(iii) reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction;"

Maybe Cisco is enforcing its EULA in the most draconian method it can imagine?

3 comments:

Joe said...

I've been trying to give each party the benefit of the doubt since I don't have the facts, but clearly Michael did not "put the internet at risk" as many are claiming. Cisco wanted to protect themselves from a PR nightmare, and they ended up creating one.

I'm so tired of Cisco and their way of doing things. Someday I'll try to find Juniper or Foundry equivalents to Cisco equipment that my clients use and start recommending those instead of Cisco. I really dislike the legal/administrative arm of Cisco. I feel bad for the talented engineers that have to work for them.

joat said...

The injunction (http://md.hudora.de/archive/pub/stipulated_permanent_injunction.DOC) against M. Lynn doesn't improve anyone's image either. Seems he's prevented from presenting at Blackhat/DefCon ever again, on any topic.

Richard Bejtlich said...

Point 10 of the injunction says "Make no further presentation(s) at Black Hat 2005 USA Conference or DEFCON 2005;"

That means future presentations are ok.