Cisco: Keep It Quiet

“There has been a scramble to get router code up to date,” said David Lawson, vice president of the global security practice at Greenwich Technology Partners in New York. “The truth is that not a lot of companies are keeping up with patches.”

Ethan Simmons, a partner in Boston-based NetTeks, said his company also received calls from worried customers. “Most of our customers subscribe to our managed security service, so the first thing we did was update our outside-facing routers to protect them,” he said.

The concern stemmed from a July 27 speech at the Black Hat conference in Las Vegas, in which security researcher Michael Lynn explained how he was able to exploit known vulnerabilities in Cisco&'s Internetwork Operating System, which runs the company&'s routers.

As first reported by CRN, Lynn&'s presentation at Black Hat, based on research he conducted as a member of Internet Security Systems&' X-Force R&D team, was canceled by ISS after the Atlanta-based company reached an agreement with Cisco to delay discussing the findings. Cisco hired a team of temporary workers to physically remove Lynn&'s presentation from Black Hat conference materials. But Lynn, determined to proceed with the talk, resigned from ISS in order to present the research.

From there, Cisco and ISS obtained a court order to stop Lynn and Black Hat organizers from further distributing information about how to exploit the vulnerabilities. But by then the word was out. Cisco&'s response surprised some partners.

“Overall, it&'s good if the information gets out there,” NetTeks&' Simmons said. “The stuff you don&'t know about is what can hurt you the most.”

And Greenwich Technology&'s Lawson said he is “disappointed” with the way San Jose, Calif.-based Cisco handled the situation. “I see no problem discussing vulnerabilities,” he said. “Forewarned is forearmed.”

Despite its swift reaction, Cisco downplayed the situation in public statements, pointing out that Lynn did not reveal a new vulnerability and that it affects only routers configured for IPv6. Still, on July 29, Cisco issued a security advisory and Cisco channel chief Keith Goodwin sent an e-mail to partners assuring them that Cisco was “taking all actions possible to mitigate the potential risk of this information. I encourage you to become familiar with the content in this advisory and ask that you remind your customers to take the necessary steps to update and upgrade their software to the latest versions to help mitigate the impact of any security vulnerability.”

Lawson said Lynn&'s revelation has him concerned, despite the Cisco patch. “The important thing to remember is not this particular exploit, but that this is an entirely new class of exploits,” he said. “I don&'t think the patch protects us from this kind of attack. It protects us from this [particular] attack. People have thought for years that IOS was impenetrable, but the truth is that it&'s a massive block of code sitting out there without a lot of security built-in.”