By Joris Evers, 3 November 2005 08:35
NEWS
Cisco has patched a flaw in the software used to run its routers and switches, in the latest twist in the company's dispute with a security researcher.
The networking giant on Wednesday released an update to fix a serious so-called heap-overflow vulnerability in its Internetwork Operating System, or IOS. This type of security flaw is commonly found in software and often allows a remote attacker to gain control of the affected system. In this case, that would mean control over a Cisco router or switch, which make up the infrastructure of many computer networks, including the Internet.
The newly disclosed flaw in IOS was part of a controversial presentation at the Black Hat security confab in July, but Cisco has been able to keep it under wraps until now.
At Black Hat, security researcher Michael Lynn demonstrated how he could gain control over a router by exploiting security flaws. A widespread attack could seriously disrupt or shut down parts of the internet or a corporate network, he said. IOS had been perceived as impervious to such attacks and Cisco fought Lynn's disclosure by going to court.
A Cisco spokesman said: "Through the IPv6 vulnerability disclosed in July, he was able to achieve a heap-overflow attack on system timers." That flaw, which Cisco provided a fix for in April, was Lynn's way to trigger the heap overflow and commandeer the router.
Cisco in July published details on the IPv6 vulnerability that Lynn exploited in his demonstration, but did not disclose the second, more serious, flaw involved in the attack demonstration until Wednesday. The heap overflow is the actual vulnerability that could let an attacker take over a Cisco router or switch.
The scope of the second flaw explains why Cisco went through great lengths to keep it under wraps, said Johannes Ullrich, chief research officer at the SANS Institute. "These serious flaws show why it was so important for Cisco to hold back on the release at Black Hat," he said. "Early, widespread knowledge of this flaw would have been bad."
Users should update as soon as possible, Ullrich said. This can be a tough task, especially at internet service providers and organisations that run customised configurations. "Too many times in the past, network operators got burned by bad patches and routers not rebooting correctly. It will take a while to have all this worked out," he said.
Joris Evers writes for News.com
Comments
There are 2 comments. Join the discussion
1. Graham Coles
Kept under Wraps?
So presumably, this flaw is a different one to the one made public by Lynn that was freely availble on the internet around the time that Cisco were making fools of themselves by ripping pages out of the Black Hat programmes?
If this is what they call 'keeping under wraps' then it proves all along what has been said about security through obscurity-it is useless.
I saw the slides of that presentation about tcbs and heap overflows around the beginning of August, and doubtless a few million others did as well. You just can't supress this kind of information, and to suggest that they achieved this is probably damaging ciscos now tarnished reputation rather than making them look good ... this article reads like pure spin!
2. Dan Smart
I agree. I got the presentation sent to me the next week after the the Black Hat debacle.
Micro$oft finally realized that hiding flaws DOES NOT WORK. M$ft got serious about getting in front of damaging vulnerabilities. Cisco needs to do the same. If they developed relationships with the white/black hat community the way M$ft does now, this could have all been avoided.