Researcher agrees to silence on Cisco flaws
- 01 August, 2005 07:43
A security researcher who gave a presentation on vulnerabilities in Cisco Systems routers at last week's Black Hat USA conference has agreed not to further discuss the issue under the terms of a permanent injunction issued by a US federal court.
Cisco plans to issue a security advisory "within the next day," according to a statement the company released after the injunction was issued.
Cisco and Internet Security Systems (ISS) sought the injunction against Michael Lynn, who gave the presentation, and Black Hat, which organised the Las Vegas computer security conference. It was granted by Judge Jeffrey White of the US District Court for the Northern District of California, in San Francisco.
ISS had originally replaced the presentation, entitled he Holy Grail: Cisco IOS Shellcode and Remote Execution, " with a different one and had ensured the presentation materials were torn out of a book that was part of the materials given out at the Black Hat show.
But Lynn, a research analyst at ISS, quit his job at ISS and gave the presentation anyway.
Cisco and ISS had agreed that more research was needed, Cisco spokesman, John Noh, said, adding that the presentation did not reveal any new vulnerabilities or flaws.
Lynn described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, and demonstrated a buffer-overflow attack in which he took control of a router. Although Cisco was informed of the flaw by ISS, and patched its firmware in April, users running older versions of the company's software were at risk, he said.
Among other things, the injunction blocks Lynn from disclosing or disseminating any part of the presentation, disseminating any video recording of the presentation, or disassembling or reverse engineering Cisco code in the future.
Cisco had sought the injunction "to stop continued irresponsible public disclosure of illegally obtained proprietary information", it said in a statement.
At a news conference, Lynn said the attention that the case drew would push Cisco to improve the security of its routers.
"I think I did the right thing. It was pretty scary, but the real important message was [that] there was a potential or serious problem coming in the future. It wasn't too late to fix it, but you had to take it seriously," Lynn said.
"I didn't think the nation's interests were served by waiting until another year, until a router worm would be a serious threat," he said.
Cisco welcomed the injunction.
"Cisco's actions with Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure. It is Cisco's opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet," the company said in its statement.