Friday, July 29, 2005

New Cisco Advisory and Statements

I guess we can wrap up the Cisco and ISS vs. Mike Lynn and Black Hat saga by mentioning the new Cisco security advisory released today: IPv6 Crafted Packet Vulnerability, which states:

"(IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation."

Assuming these details are correct -- and who knows now? -- this is not an earth-shattering discovery. However, this may have been a sample vulnerability Mike demonstrated to explain his technique. He may have picked this vulnerability because he thought it would not affect much of the Internet, but he needed to let people know that his technique was already in use by malicious parties.

Cisco's main security page addresses the Lynn affair directly as well.

This Reuters article quotes Jeff Moss:

" Jeff Moss, president of Black Hat, predicted the ruling would have a dampening effect on security enthusiasts.

People will say, Why would we tell the public about this if we're going to be sued? We're just going to post this anonymously,' he said. 'Who is going to tell Cisco about a problem now?'"

Who indeed. Good work, Cisco. You've just alienated anyone who would consider quietly approaching you with vulnerability details. You've probably also stirred up an army of independent researchers who will look for new holes in IOS.

The real tragedy is the vulnerability of all the enterprises running Cisco gear, to include all of my clients. It's time for me to figure out better ways to monitor Cisco equipment for signs of compromise. The protected domain or boundary does not start inside your border router -- it must now include that router, as it remains at risk of direct attack. How long before the first router-based worm, I wonder?


Anonymous said...

"It's time for me to figure out better ways to monitor Cisco equipment for signs of compromise."

If this is the outcome, I would say that it is a victory for security. Shouldn't you have been doing it to begin with? It seems sort of silly to only focus on known vulnerabilities when we all agree that it is the unknown ones that really matter.

If you are this worried about a router-based worm based on the information that was presented, can you really say that the Internet is a safer place because of it?

Pete Lindstrom

Richard Bejtlich said...

When I mention monitoring routers, I'm not talking about conventional means that everyone else uses. I'm talking about tapping lines in front of border routers to inspect traffic before it hits the router. I have yet to see anyone do this.

This is a victory for security in the sense that Mike Lynn has let the world know that he has seen evidence that malicious parties are already compromising Cisco routers in the manner he described. I did not hear that from Cisco or any .gov entity.

The manner in which Mike Lynn was treated is the reason we are more likely to see a router-based worm. Mike's presentation was not at fault. When a company stirs enough anger in the hacker community to make the unofficial slogan of a conference "f*ck Cisco," the problem is not Mike Lynn's!

Anonymous said...

re: monitoring - regardless of the way ML was treated, I certainly hope you would have taken this corrective action. The threat is much greater now, if you don't take any new action to strengthen your systems (something you haven't done in the past), his new information MUST increase the overall risk.

re: evidence of compromise - I think you have your information wrong and are stretching it to try to increase the threat level; You aren't hearing it from Cisco because it isn't true. Regardless, if they are compromising it, what NEW defensive techniques are gained from the preso? None, nada, zilch, nothing. You already have all the knowledge you need to defend against it, and you should have been doing it ever since Cisco's source code was released.

re: Mike Lynn's treatment resulting in a worm. You seem to relish the idea and think that this action is somehow ok, that illegal behavior is justified when you are dealing with jerks. Your approach to intellectual property is surprising(you don't mind if I copy your book into mine, do you?).

Pete Lindstrom

Richard Bejtlich said...


re: monitoring: Do you have any concept of the sort of monitoring I'm discussing? Do you have any idea how much it would cost to deploy DS3 taps in front of border routers? That DS3 interface would have to connect to a card like this on a monitoring platform, and who knows how much that will cost. You find me a customer who would pay for that level of effort prior to public examination of the issue by Mike Lynn.

re: evidence of compromise: "The story from Michael Lynn proceed[s] like this: He discovered clues that there was an issue being exploited when reading translated Chinese hacker sites that alluded to the issue."

re: Mike Lynn's treatment resulting in a worm: I just re-read every statement I've made on this blog to confirm you are misinterpreting my comments. I'm condemning Cisco and ISS for their ham-fisted and thuggish behavior. Cisco, especially, has ruined its reputation in the security community.

I would never welcome any worm. As for intellectual property, regardless of whatever Lynn published, the way it was treated by Cisco and ISS transformed it into the "must-have" file of the summer. It could have been another item on a long Black Hat agenda, and could have been handled much differently. Now everyone is talking about it. Great move.

Anonymous said...

Richard -

re: monitoring - you make a great point and no, I don't know what it would take, but I believe you. But that argument supports my point that we'd be better off if this information was not out there. (I think ML said all you needed to do was keep the firmware updated and I've heard another recommendation for a separate mgt network).

re: evidence - the information he had was Chinese translation of a public website that indicated a hacking group was messing around with Cisco stuff.

re: ML treatment - I did not explain myself well. I know what you meant, what I meant was that you seemed to relish how the hacker community was responding and I was suggesting that it was still illegal to hack a "jerk" (presumably ISS and Cisco, though I think they had a right to protect their intellectual property). I agree that scarcity breeds a stronger interest in gaining the information, but don't know how this would change your behavior for your clients.

Pete Lindstrom

Anonymous said...

nice blog!! Just bookmarked! DS3 Line