RealTime IT News

Cisco Patches Amidst Uproar

One day after Cisco Systems slapped a restraining order on a researcher for disclosing details of a flaw in its software, security officials at the company released a patch to fix the problem.

Cisco and Internet Security Systems (ISS) on Thursday filed for, and received, a permanent injunction against Michael Lynn, a former ISS researcher, and Black Hat, the company hosting the popular Black Hat Conference.

The company Friday published the "IPv6 Crafted Packet Vulnerability" fix on its Web site and said it has a limited impact on its product line.

The vulnerability affects a small subset of Cisco devices, those using the company's IOS with IPv6 support enabled.

IOS is the network infrastructure software used in everything from Cisco's home office routers to those used in enterprise and ISP networks. According to the Cisco Web site, IOS is used in more than 10 million devices worldwide.

Those IOS-run devices with IPv6 disabled are safe from the vulnerability, the Cisco security advisory states. Network administrators can check to see whether their systems have the technology enabled by using the "show ipv6 interface" command: a blank output means IPv6 is disabled or unsupported on the system.

For the devices running IPv6, however, the vulnerability could cause the system to be flooded by a denial of service attack , requiring the system to reload its network neighbor discovery process.

A specially crafted IPv6 packet could also open the door to remote execution by malware writers.

Administrators who install the patch are safe from the attack.

The real news behind the vulnerability was Cisco's reaction to Lynn's speech at the Black Hat conference, where he detailed the vulnerability to conference attendees.

The company's decision to prohibit the former ISS researcher from talking about the subject came across as heavy-handed to many in the Internet community.

Techdirt.com was one of several Web blogs that noted that Cisco's strategy to keep its security vulnerabilities under wraps backfired. The extreme measures taken to silence Lynn, the blog entry stated, just convinced everyone that Cisco was really worried about the problem.

Mike Masnick, Techdirt president, said that if a researcher believes there is enough public information about the vulnerability, it makes absolute sense to go public with the information.

"Not doing so puts people at a higher risk, since they don't realize the system they're using is both insecure and actively being attacked," he said in an e-mail.

"Lynn apparently believed this vulnerability had reached that point -- and Cisco's reaction, if anything, has only sped up the attack process by attracting much more attention to the issue."

John Noh, a Cisco spokesman, defends his company's decision to file a permanent injunction against Lynn.

"Cisco and ISS were trying to follow our normal disclosure policy as relating to security vulnerabilities," he said. "To protect the best interests of our customers and the security industry in general, we took every reasonable measure that we needed to."

Noh added that as long as Lynn and Black Hat follow the terms of the injunction, the company's lawyers will not pursue any further legal actions.

But, in reality, the net effect of the security flaw was that it received a lot more attention than it would have otherwise warranted, said Paul Stamp, an analyst at research firm Forrester Research.

"If they just let it go we wouldn't be talking about this now," he said.

That doesn't mean that Lynn's claims to be protecting the nation's infrastructure were necessarily altruistic. Stamp said the number of devices was actually quite small and Lynn's disclosure was more to get his 15 minutes of fame.

As far as what's next for the former ISS researcher, Stamp said he doesn't expect he will have problems finding a new job.

"He's got a name now, so I don't think he'll have too much of a problem," he said. "Any company that wants a bit of publicity will snap him up in a heartbeat.