Monday, August 01, 2005

Ciscogate 2005: Michael Lynn's Black Presentation

It was the first presentation of the morning at Blackhat. There were four rooms with simultaneous presentations but the largest one was set aside for Michael Lynn. I was one of the fortunate ones to witness his talk in person.

In the coming months we will know if his disclosuer results in Cisco fixing the issues in IOS before the bad guys take this information and create something very destructive.

Here is an email I sent out soon after the presentation:

Cisco recently acknowledged that the first ever working remote shell code exploit targeting Cisco IOS was demonstrated at Blackhat on July 27th. The Cisco advisory is I was fortunate enough to attend the presentation and feel that the Cisco advisory does not adequately explain the extent of the issue and what future issues may result from the public disclosure that took place. Cisco is accurate in their advisory as to the specific details of what portion of IOS was exploited in this instance to gain access to the device. The problem with their disclosure is that it does not address the fact that Michael Lynn who presented this issue also mapped out the Cisco IOS architecture in such a way that future attacks are likely.

Michael Lynn's explanation as to why he choose to publicly demonstrate that the exploits were possible and that working code exists was due to several factors.

1. History has show that the practice of responsible full disclosure works. (By "responsible" I mean that the vendor was notified prior to the full disclosure)

2. He stated that there are two publicly know thefts of IOS source code. So its out there and others may be actively working to create attacks.

3. When he started researching the possibility of exploiting IOS he noticed that there was already activity on the Internet in Chinese forums discussing how to go about some of the same things he was researching.

4. He also explained that this is a gigantic issue affecting possible national security and the Intranet as a whole. If someone was to find the exploit and use it to cause maximum damage then a digital Pearl Harbor is possible.

5. Cisco is currently rewriting IOS and he is concerned that the fundamental flaws that allow exploits like his will not be address. Furthermore, existing IOS versions are platform specific. So for any of his exploits to work they have to be compiled against each individual IOS code version available for download. Future IOS code will be one single instance for all devices. It will be the same binary for a 2600 as a 7600. That means that if one person figures out an exploit to IOS then all hardware running IOS will be vulnerable.

At this time, regardless of the fact that Cisco lists this as a IPv6 vulnerability, I would like to recommend that all routers residing on Internet, DMZ, or B2B links be upgraded to a version of IOS which is not vulnerable to the exploit demonstrated at Blackhat as soon as possible using your change control procedures. (The Cisco advisory lists what versions are vulnerable and the upgrade path.) I would also recommend that all core devices and datacenter devices running IOS be upgraded quickly after that. Edge devices should be upgraded once the primary devices in the network are completed. If it is not practical to upgrade to upgrade IOS then please consider verifying that IPv6 is not enabled in all devices. While this is listed as a recommended work around in the Cisco advisory I do not think it will address it in the same fashion as a code fix. By not upgrading and choosing to verify that IPv6 is disabled may leave the organization vulnerable to future exploits which exploit a different portion of the IOS code as its initial attack vector.

Here are some links to the actual presentation at Blackhat and subsequent articles. If anyone is interested in discussing this further please let me know.,1848,68328,00.html

(NOTE: Comments are welcome but keep them on topic. Additional insight or information on the topic is appreciated! Off topic posts or fake comments with links will be deleted)


Post a Comment

<< Home