Thursday, July 28, 2005

MIchael Lynn's Black Hat presentation: What's the big deal?

In case you haven't heard, there's a big controversy over one of yesterday's Black Hat presentations. I frankly don't see what all the fuss is about.

According to Cisco, Lynn reverse engineered parts of IOS while working for ISS. This allowed him to discover methods to make use of existing vulnerabilities to gain shell access or execute arbitrary code on a Cisco router.

People, this is a big technical step forward, but it's just not news. First, Mr. Lynn has not created or publicized new Cisco vulnerabilities, he's merely come up with some more creative ways to make use of existing vulnerabilities. Second, I don't think any security professional should be surprised that it's possible to use a stack or heap vulnerability to execute code. It's been done to death on every other platform, why not IOS too? My hat's off to Mr. Lynn for what is definitely some masterful coding on his part, but we've seen this before elsewhere.

What really puzzles me, though, is why anyone is surprised that he's apparently going to be sued by both Cisco and ISS. I'm not privy to the agreements he may have signed with ISS when he was employed there, nor do I know any details about any NDAs that might be in place between ISS and Cisco. However, if he was paid by ISS to work on this project, the work belongs to ISS and not to Mr. Lynn. That alone could be sufficient grounds for ISS to complain, especially because by outing the work, he has also probably opened ISS itself to lawsuits from Cisco.

So please everyone, let's get over this teacup imbroglio. This just isn't the story everyone thinks it is.

2 comments:

Jack said...

Cisco has had problem after problem after problem with code security. As a Security Engineer I am fed-up with patching my routers every week. Cisco should fix the code. The code is broken!! Hackers and security experts find new security holes every month. What if some hacker finds a hole that the security teams don't find or that Cisco squashes the report with lawyers. We will have a very real problem, of getting hacked! Cisco, get the code fixed or we will buy competent products from Nortel, Juniper, etc, etc...

David Bianco said...

I think the last sentence in your comment is the key. "[...] get the code fixed or we will buy [...] Nortel, Juniper, etc."

Vendors who are on the ball really respond to this sort of "vote with your feet" approach. Microsoft put out their big security push a few years ago just because they were afraid of this sort of thing. I think if everyone's dissatisfied with Cisco, going with a different vendor's gear is a legitimate response, and one they'll take notice of (especially if you tell your sales rep WHY you're leaving Cisco).

That being said, it's not without its downsides. First, many organizations have a committment to Cisco that would be difficult or impossible to change overnight. Telling your boss that you want to change vendors and lose the investment you've made in existing network infrastructure isn't necessarily a good way to advance in an organization.

More importantly, I don't believe the problem is limited to just Cisco gear. Probably every network vendor has similar issues. Cisco is targetted because it has the largest installed base. Switching to a different vendor will undoutedly have an effect, but it probably won't completely solve the problem. I'd be shocked if there weren't people out there now with the ability to run arbitrary code remotely on non-Cisco routers and switches.