Furor over Cisco IOS router exploit erupts at Black Hat
- 29 July, 2005 08:08
Although Cisco and Internet Security Systems had abruptly cancelled a planned technical talk and demo at the Black Hat Conference to reveal how unpatched Cisco routers can be remotely compromised, the researcher who had originally uncovered the problem went ahead with the talk anyway, igniting a spate of lawsuits against himself and the Black Hat Conference.
Michael Lynn, the research analyst at ISS who was asked to resign after his presentation detailing how an attacker can exploit flaws in unpatched Cisco routers to gain total control over them, said he felt compelled to reveal the information because "I felt I had to do what's right for the country and the national infrastructure."
Cisco and ISS, claiming it was premature to release the research, saw it differently and immediately filed a lawsuit aimed at compelling him not to discuss the subject further. The Black Hat Conference was also served with a lawsuit by the two companies for allowing Lynn to discuss the exploits associated with Cisco routers.
Black Hat CEO Jeff Moss yesterday said he felt trapped in the middle. "Michael Lynn said he was going to discuss VOIP," said Moss. "I can't control a speaker who changes his topic in the middle of a presentation."
Told by ISS not to discuss the Cisco router exploit, Lynn did begin his presentation at Black Hat on Wednesday with a substitute presentation on VOIP. But the boos from the audience which had come to hear the original topic entitled "The Holy Grail: Cisco IOS Shellcode and Remote Execution," induced him to switch to the original scheduled topic: the research he carried out at ISS that shows how an attacker can completely take control of a Cisco router through a variety of buffer-overflow attacks and shellcode exploits.
While this type of attack is common against unpatched servers today -- several destructive Internet worms in past years have used buffer-overflow attacks to take over Microsoft-based servers -- this was believed to be the first demonstration of a buffer-overflow attack against Cisco routers.
Lynn did not publicly provide the specific attack code to carry out the attack -- which he said could be accomplished in several ways on unpatched Cisco routers -- but he provided evidence it could be done. Lynn said he got some of his insights by reading information posted on Chinese hacker sites.
ISS just last week stated it had intended to provide a "first" in this security area, but by this Monday, discussions with Cisco -- which had been expected to participate in the Black Hat presentation -- ended up with the two firms abruptly canceling the talk on Monday.
In addition, Cisco Monday warned the Black Hat organizers that if they did not remove the 15 pages of written material that ISS had submitted over a month ago to be included in the bound 1,000-page conference proceedings, it would file a lawsuit against the conference.
Black Hat CEO Jeff Moss said he complied, allowing Cisco personnel to physically cut out the pages on Monday evening -- while also destroying the original conference CDs that contained the information.
Wednesday evening, Moss said he'd learned from lawyers that Cisco and ISS had filed a lawsuit against Black Hat aimed at ensuring the video made of Lynn's presentation is not distributed. The lawsuit, which he said he had not yet reviewed, also aims to hold him responsible for letting Lynn speak out on the topic.
Last night, Lynn, from a hotel room in Las Vegas, was informing reporters and friends that he had contacted the free-speech advocacy group Electronic Frontier Foundation to muster legal support.
The efforts by Cisco and ISS to put a lid on the information about Cisco router exploits that Lynn revealed may be futile. Some attendees at the conference believe the original CD containing the detail is already in circulation. In addition, some security professionals attending the Black Hat Conference said they were grateful for Lynn's audacity.
Joseph Klein, senior security analyst at aerospace electronic systems division at Honeywell Technology Solutions, said he helped arrange a meeting between government IT professionals and Lynn after Lynn's talk. Klein said he was furious that Cisco had been unwilling to disclose the buffer-overflow vulnerability in unpatched routers. "I can see a class-action lawsuit against Cisco coming out of this," Klein said.
Since the pages from the Black Hat conference book were cut out by Cisco, rumors had been circulating at the conference that the Department of Homeland Security had brought pressure to convince Cisco and ISS not to go through with the talk for national security reasons. Cisco and ISS said this was not a factor in their decision to cancel the presentation at Black Hat.
Klein said his sources have left him with the impression that Cisco CEO John Chambers had been in contact with the White House on the matter. "I think this is a topic in the White House at the moment."
The Black Hat Conference continues today and the legal back-and-forth related to the events surrounding the IOS hacker exploit is expected to continue.