Researcher Michael Lynn quit his job at Internet Security Systems late last month, then defied ISS and Cisco by revealing that unpatched Cisco routers could be hacked by a buffer-overflow exploit. Until then, corporate network managers had been largely unaware of the risk.
Cisco and ISS had known for months. And it’s feared that hackers knew, too, as Chinese bulletin boards are said to have contained at least some knowledge of the vulnerability.
The confluence of events — all coming to a head last month at the Black Hat security conference — has reignited the long-smouldering debate over what constitutes responsible disclosure of security risks.
Cisco insists that Lynn acted both irresponsibly and illegally, and obtained a court order barring him and show organizers from making further disclosures. “The actions against Mr. Lynn and Black Hat were not based on the fact that the flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure,” Cisco said in a statement.
Cisco added that what Lynn had done “was not in the best interest of protecting the Internet.”
Lynn maintains that he acted properly, a position that garnered backing from security experts and conference attendees.
“I think I did the right thing,” he said. “I didn’t disclose any vulnerabilities that were new. The important thing is that vulnerabilities can be seriously exploited.” The fact that Cisco source code was stolen last year makes the chances of an exploit more likely and that heightened risk demanded early disclosure, Lynn says.
That sentiment was widely held by others.
“Cisco should have told us earlier about this because it clearly makes patching a high priority that has to be done,” said Joseph Klein, senior security analyst at Honeywell Technology Solutions.
The shellcode flaw and Cisco’s reaction to it are “definitely a source of concern,” said Joe Moore, director of IT for the state of Arizona, auditor general’s office. “There is a lot hanging on what kind of equipment you have facing the public network…. If you have a flaw brought to light, I don’t think Cisco should have a problem sharing that flaw, especially if it’s already been taken care of, like Cisco says it has…as opposed to trying to hush up the person who exposed the flaw.”
John Parsons, manager of global telecommunications and networks at Kodak, said the company’s router engineers keep its Cisco equipment current with updated patches. Parsons expressed some sympathy for Cisco’s position in going after Lynn. “Maybe Cisco wanted to make sure they had the proper patches or workarounds ready for this, which I think is reasonable,” he said.
After Lynn’s revelations, Cisco was to have posted a security advisory related to the issue of remote exploits of Cisco routers at www.cisco.com /go/psirt.
ISS and Cisco had planned to have Lynn talk about this new type of potentially devastating buffer-overflow attack against unpatched routers, but canceled at the last minute, saying more research was needed.
However, Lynn broke ranks.
He was promptly sued by ISS and Cisco, which claimed his actions were illegal. Lynn acknowledged in a settlement that he had broken confidentiality agreements.