On Wed, 27 Jul 2005, Dan Hollis wrote:
This is looking like a complete PR disaster for cisco. They would have been better off allowing the talk to take place, and actually fixing the holes rather than wasting money on a small army of razorblade-equipped censors.
-Dan
Complete PR disaster? Maybe they're still working on the fix and didn't want those on the blackhat scene to have a glimpse of how they intended on fixing things. I wonder if this has exploit_foo_bar has anything to do with their code being stolen earlier this year was it, or late last year. Maybe for the geeks in you, it may be a PR disaster, but I doubt their stock price will come down much. Oddly I wonder if those in gov are watching closely to those who are running around shorting Cisco stock. Or should that be: "sh0rt1ng c1sc0 st0ck!@$" =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x97B43D89 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x97B43D89 To conquer the enemy without resorting to war is the most desirable. The highest form of generalship is to conquer the enemy by strategy." - Sun Tzu
On Jul 27, 2005, at 4:48 PM, J. Oquendo wrote:
On Wed, 27 Jul 2005, Dan Hollis wrote:
This is looking like a complete PR disaster for cisco. They would have been better off allowing the talk to take place, and actually fixing the holes rather than wasting money on a small army of razorblade- equipped censors.
Complete PR disaster? Maybe they're still working on the fix and didn't want those on the blackhat scene to have a glimpse of how they intended on fixing things. I wonder if this has exploit_foo_bar has anything to do with their code being stolen earlier this year was it, or late last year. Maybe for the geeks in you, it may be a PR disaster, but I doubt their stock price will come down much. Oddly I wonder if those in gov are watching closely to those who are running around shorting Cisco stock. Or should that be: "sh0rt1ng c1sc0 st0ck!@$"
Cisco had initially approved this talk. My understanding is that this has been fixed and no current IOS images were vulnerable to the techniques he was describing. ISS, Lynn, and Cisco had been working together for months on this issue before the talk. This had _nothing_ to do with the source code that was stolen. I have dealt with Lynn professionally on many occasions and he has shown himself to have more than a fair share of integrity. It is uncalled for to take to disparate events and place them together in a way which smudges the name of a respected researcher.
On Wed, 27 Jul 2005, James Baldwin wrote:
Cisco had initially approved this talk. My understanding is that this has been fixed and no current IOS images were vulnerable to the techniques he was describing. ISS, Lynn, and Cisco had been working together for months on this issue before the talk.
Just because they fixed the bugs doesnt mean there arent a large number of publically accessible routers out there still running affected versions.. I suspect there was something slightly more than just giving information about the vulnerabilities.. the inference is that they demonstrated executing arbitrary code from buffer overflows.. perhaps for example they developed ways of opening up privilege vty which I dont think has been shown before Steve
I suspect there was something slightly more than just giving information about the vulnerabilities.. the inference is that they demonstrated executing arbitrary code from buffer overflows.. perhaps for example they developed ways of opening up privilege vty which I dont think has been shown before
we can suspect a lot of things. but, as long as information is suppressed, all we can do is suspect and be victims of those who have the time to develop exploits. this is why open disclosure is soooo important. security through obscurity is a well-known failure mode. randy
On 7/27/05, J. Oquendo <sil@politrix.org> wrote:
Complete PR disaster? Maybe they're still working on the fix and didn't want those on the blackhat scene to have a glimpse of how they intended on fixing things. I wonder if this has exploit_foo_bar has anything to do with their code being stolen earlier this year was it, or late last year. Maybe for the geeks in you, it may be a PR disaster, but I doubt their stock price will come down much. Oddly I wonder if those in gov are watching closely to those who are running around shorting Cisco stock. Or should that be: "sh0rt1ng c1sc0 st0ck!@$"
Cisco had the exploit fixed in April and no longer offers the exploitable OS for download on their site. -- Mark Owen
On Thu, 28 Jul 2005, Mark Owen wrote:
Cisco had the exploit fixed in April and no longer offers the exploitable OS for download on their site.
And the list of vulnerable IOS versions is where....? I don't care exactly what the exploit is but I want to know the risks involved and what versions are vulnerable. Any workarounds available would be nice as well, the fewer routers potentially needing immediate upgrade to fixed IOS the better. -- Mikael Abrahamsson email: swmike@swm.pp.se
And the list of vulnerable IOS versions is where....?
I am not sure if this is the correct doc, but it is recent (April/May 05) and does indicate what IOS versions are being dropped and what IOS one should migrate to. http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/prod_bulleti... James H. Edwards Routing and Security Administrator At the Santa Fe Office: Internet at Cyber Mesa jamesh@cybermesa.com noc@cybermesa.com http://www.cybermesa.com/ContactCM (505) 795-7101
This has nothing to do with the recent events. - RC -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of james edwards Sent: Thursday, July 28, 2005 2:26 PM To: Mikael Abrahamsson; nanog@nanog.org Subject: Re: Cisco cover up
And the list of vulnerable IOS versions is where....?
I am not sure if this is the correct doc, but it is recent (April/May 05) and does indicate what IOS versions are being dropped and what IOS one should migrate to. http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/prod_bulleti n0900aecd80281c0e.html James H. Edwards Routing and Security Administrator At the Santa Fe Office: Internet at Cyber Mesa jamesh@cybermesa.com noc@cybermesa.com http://www.cybermesa.com/ContactCM (505) 795-7101
On Thu, 2005-07-28 at 12:58, Robert Crowe wrote:
This has nothing to do with the recent events.
- RC
james edwards wrote:
I am not sure if this is the correct doc, but it is recent (April/May 05) and does indicate what IOS versions are being dropped and what IOS one should migrate to.
http://www.cisco.com/en/US/customer/products/sw/iosswrel/ps5187/prod_bulleti n0900aecd80281c0e.html
Robert, So if I follow this doc and move to the IOS indicated will that IOS be free of this bug ? j
Thus spake "Mikael Abrahamsson" <swmike@swm.pp.se>
On Thu, 28 Jul 2005, Mark Owen wrote:
Cisco had the exploit fixed in April and no longer offers the exploitable OS for download on their site.
And the list of vulnerable IOS versions is where....?
I don't care exactly what the exploit is but I want to know the risks involved and what versions are vulnerable. Any workarounds available would be nice as well, the fewer routers potentially needing immediate upgrade to fixed IOS the better.
The short answer is, if an image is still on CCO, it's not vulnerable. That applies to both this problem and any other security problems Cisco has patched but not published notices for yet. S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
Once upon a time, Mark Owen <mr.markowen@gmail.com> said:
Cisco had the exploit fixed in April and no longer offers the exploitable OS for download on their site.
But which versions are vulnerable? I don't just go upgrade my IOS at random, hoping to fix unknown bugs (while introducing additional unknown bugs). When I've got an apparently stable version for my setup, I leave it alone. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
participants (11)
-
Chris Adams -
J. Oquendo -
James Baldwin -
james edwards -
James Edwards
-
Mark Owen -
Mikael Abrahamsson -
Randy Bush -
Robert Crowe -
Stephen J. Wilcox -
Stephen Sprunk