I guess we can wrap up the Cisco and ISS vs. Mike Lynn and Black Hat saga by mentioning the new Cisco security advisory released today: IPv6 Crafted Packet Vulnerability, which states:
"(IOS®) Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must be sent from a local network segment. Only devices that have been explicitly configured to process IPv6 traffic are affected. Upon successful exploitation, the device may reload or be open to further exploitation."
Assuming these details are correct -- and who knows now? -- this is not an earth-shattering discovery. However, this may have been a sample vulnerability Mike demonstrated to explain his technique. He may have picked this vulnerability because he thought it would not affect much of the Internet, but he needed to let people know that his technique was already in use by malicious parties.
Cisco's main security page addresses the Lynn affair directly as well.
This Reuters article quotes Jeff Moss:
" Jeff Moss, president of Black Hat, predicted the ruling would have a dampening effect on security enthusiasts.
People will say, Why would we tell the public about this if we're going to be sued? We're just going to post this anonymously,' he said. 'Who is going to tell Cisco about a problem now?'"
Who indeed. Good work, Cisco. You've just alienated anyone who would consider quietly approaching you with vulnerability details. You've probably also stirred up an army of independent researchers who will look for new holes in IOS.
The real tragedy is the vulnerability of all the enterprises running Cisco gear, to include all of my clients. It's time for me to figure out better ways to monitor Cisco equipment for signs of compromise. The protected domain or boundary does not start inside your border router -- it must now include that router, as it remains at risk of direct attack. How long before the first router-based worm, I wonder?