On Thu, Jul 28, 2005 at 02:17:46PM -0400, J. Oquendo wrote:
Subject : RE: Cisco IOS Exploit Cover Up
On Thu, 28 Jul 2005, Geo. wrote:
I think there is also a LOT concern about all the unpatched routers that remain unpatched simply because the admins don't feel like spending a week running the cisco gauntlet to get patches when you don't have a support contract with cisco. Its like cisco doesn't want you to patch or they would make it easy.
Geo.
This is oh so true - contracts in order to patch your equipment. Normally I would never mention the need for an authority to intervene on things related to the Internet but how long will it be before the term "Digital Pearl Harbor" is a reality.
Maybe it is time an authority figure steps in and makes some form of rules for vendors to distribute fixes under some form of law. If this flaw of Cisco's could lead to the kind of severe damage as Mr. Lynn claims, shouldn't it fall on the shoulders of Cisco to get their act together and provide a fix as opposed to sending in the hounds (legal shmoes via Cisco to avoid coming clean on this issue.
Cisco always has provided free upgrades to non-contract holders for security bugs. eg: http://www.cisco.com/en/US/products/products_security_advisory09186a008042d5... -- snip -- Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. -- snip -- Now the fact that there has been no advisory (yet) means no free upgrade (yet?). This is much kinder than other companies have done where you can't get squat. Now, for the doomsdayers, yes, it's likely we'll have something nasty happen to the internet at some point. Yes, it'll disrupt 911 and other critical services (finance, health care, etc..) but without people taking active responsibility to the equipment they own and operate, the question is who will get hurt and how bad. We do security testing on our IOS images and have found bugs that have been reported to PSIRT and fixed "quietly". They've been fairly good at solving the issues. I think with anytime I deal with a vendor, promptness is always an issue, I'd always like a fix in a few days, they never seem to move as fast as one would want. If you don't do testing of your images, I suggest you create a plan and add it to your qualification procedures. Even if you don't have a current contract, you can get free upgrades if you find a PSIRT bug, perhaps that should make everyone *want* to help Cisco. Then again, there have been issues for years where this happens, I encourage everyone to beat on their routers (in the lab) and work with your vendors to solve the problems and not run around creating massive amount of chaos, we've all seen what that does. - jared -- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.