[ISN] Firm Allegedly Hiding Cisco Bugs

[InfoSec News]

http://www.wired.com/news/technology/0,1282,69762,00.html

By Kim Zetter
Dec. 06, 2005 

The computer security researcher who revealed a serious vulnerability
in the operating system for Cisco Systems routers this year says he
discovered 15 additional flaws in the software that have gone
unreported until now, one of which is more serious than the bug he
made public last summer.

Mike Lynn, a former security researcher with Internet Security
Systems, or ISS, said three of the flaws can give an attacker remote
control of Cisco's routing and gateway hardware, essentially allowing
an intruder to run malicious code on the hardware. The most serious of
the three would affect nearly every configuration of a Cisco router,
he said.

"That's the one that really scares me," Lynn said, noting that the bug
he revealed in July only affected routers configured in certain ways
or with certain features. The new one, he said, "is in a piece of code
that is so critical to the system that just about every configuration
will have it. It's more part of the core code and less of a feature
set," Lynn said.

Like the earlier bug, the more serious of the new bugs is in Cisco's
Internet Operating System, or IOS, said Lynn. Another dozen
unpublished vulnerabilities can allow someone to conduct a
denial-of-service attack against the router, crashing it over the
internet, he said.

Lynn, who now works for Cisco competitor Juniper Networks, told Wired
News that ISS has known about additional flaws in the Cisco software
for months but hasn't told Cisco about them. This is serious, Lynn
said, because attackers may already be developing exploits for the
vulnerabilities. Cisco's source code was reportedly stolen in 2004
and, while doing research on the IOS software, Lynn found information
on a Chinese-language website that indicated to him that Chinese
attackers were aware of the security flaws in IOS and could be
exploiting them.

ISS offers intrusion-detection products and security services to help
businesses and the government protect their computer systems from
attack. The company's X-Force research and development team, where
Lynn worked, examines ways in which attackers can infiltrate a
computer network and provides customers with information about the
latest security threats.

Lynn said he discussed the security vulnerabilities with his former
bosses at ISS after the company asked him to reverse-engineer the
Cisco operating system.

Lynn said that details about the vulnerabilities were also in notes
and documents that ISS lawyers seized from him in July after he
presented information about the first Cisco flaw at the Black Hat
security conference in Las Vegas. Although Lynn said Cisco and ISS
initially approved his Black Hat presentation, the companies reversed
their support hours before his talk, and sued him when he gave the
presentation anyway. Many security professionals, including some who
protect government and military networks, praised Lynn for disclosing
the information. ISS accused Lynn of stealing trade secrets, but an
FBI investigation ended with the government taking no action against
the researcher.

Mike Caudill, who manages Cisco's Product Security Incident Response
Team, told Wired News that ISS has not told Cisco about any additional
flaws that Lynn had found in Cisco's software. As head of the security
team, Caudill would be the primary person with whom ISS would discuss
vulnerabilities. Caudill wouldn't discuss the matter further but
directed Wired News to Cisco spokesman John Noh. Noh was surprised by
the news of the vulnerabilities and said his company encouraged
security researchers to come to them with important information in a
timely manner.

"If there is legitimate information that will impact our customers,
then we'd like to know about that. We'd want to be aware of anything
that could impact our products and our customers," Noh said. But he
also said that Cisco has a process for reporting vulnerabilities that
involved working with its PSIRT team. "By working with us, it benefits
everyone involved."

Lynn said he sent an e-mail to Cisco's Mike Caudill last week but that
he didn't go into detail about the vulnerabilities. He said it was
important that ISS not sit on the information.

A permanent injunction arising from Lynn's settlement of the lawsuit
brought by ISS and Cisco now prevents Lynn from publicly discussing
details about the original vulnerability or the new vulnerabilities
other than to acknowledge their existence.

"Essentially there are more bugs, and they've gagged me from telling
anyone the details of what they are," Lynn said.

Pete Allor, director of intelligence at ISS and a special assistant to
the CEO, said he knows nothing about additional vulnerabilities in IOS
and that there was no information in notes seized from Lynn discussing
additional remote-control or denial-of-service flaws in Cisco's IOS.

"Since I'm responsible for vulnerability disclosure, that would be
something that would come to my attention, and I don't have anything
that shows that we know anything about remote execution," Allor said.

Allor added that ISS had theories in general about where it might
investigate possible additional flaws in the Cisco system and other
software, but he said many perceived flaws don't stand up under close
examination. "It takes a substantive amount of research to prove that
point unequivocally," Allor said. "(Until) there's no doubt in your
mind that you can reproduce and show that to others, then it's nothing
more than a theoretical thought."

He added that once ISS determined that flaws existed, it would be the
company's responsibility to work with the vendor to determine how to
address the problem "so that no infrastructure network or customer
would ever be at risk. It's not for the researcher to speculate and
then publish speculation."

Lynn disputed Allor's statements about what ISS knows about the flaws.
He said he told the company's CTO as well as other members of the
X-Force research team about the vulnerabilities he found. So plentiful
were the bugs, he said, that it became a running joke at ISS each time
he found another denial-of-service flaw.

Additionally, Lynn gave ISS two notebooks filled with information
about the flaws as well as pages of digital notes that he wrote while
he reverse-engineered the software.

"It's pretty meticulous. There's lots of notes because it's very
complicated stuff," Lynn said. "I gave the most details for the ones
that are the most critical -- those are all spelled out."

With regard to Allor's statement suggesting that any flaws ISS found
are theoretical, Lynn said, "We're not dealing with an iffy thing when
I actually have the code that I'm disassembling."

"At the very least," he said, "even if ISS only suspected there were
flaws, you'd think they'd want to talk to Cisco about it even if they
think maybe it's not true. If I'm totally wrong, great, but I have a
pretty good track record on this, and you'd think they'd want to be
talking to Cisco to be sure."

Chris Wysopal, an independent security consultant who previously
directed research and development for Atstake and Symantec, said it
was a mystery why ISS would sit on such critical information.

"There are no more critical vulnerabilities than the ones in routers
and firewalls, since that's the fundamental basic infrastructure of
the internet," said Wysopal. "A denial-of-service attack is enough (to
make it critical). If you can just knock people off the net or keep
the whole net down, that can be very valuable to people who want to
wage some sort of cyberwar.

"If I were a customer, I wouldn't be happy if the vendors I dealt with
had information that could help me ... and they didn't (tell me),"
Wysopal said.