Cisco details controversial router flaw

Disagreement persists about the scope of the IOS vulnerability, which is at the center of a dispute between Cisco and a security researcher.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

See full bio

Joris Evers

July 29, 2005 1:22 p.m. PT

3 min read

LAS VEGAS--Cisco Systems on Friday published an advisory on a flaw in its router software that experts have said could be exploited by attackers to seriously disrupt the Internet.

Older versions of the Internetwork Operating System, or IOS, are flawed in the way they process IPv6 packets, Cisco said in its advisory. A specially crafted data packet could let a miscreant gain control over the router, but an attack is possible only from a local network segment and only on systems configured for IPv6, Cisco said.

IOS is the software that runs on Cisco's routers, which make up the infrastructure of the Internet. IPv6 is the next-generation Internet protocol. The networking company fixed the vulnerability in new releases of IOS in April and is urging people to upgrade their router software.

The advisory comes two days after a researcher at the Black Hat security confab defied Cisco and his employer, Internet Security Systems, and demonstrated how he could gain control over a router by exploiting the flaw. Cisco and ISS had agreed to pull the presentation, but researcher Michael Lynn quit his job and gave the talk anyway.

There still is disagreement over the scope of the vulnerability. While Cisco in its advisory stated that an attack is possible only when the attacker has a direct connection to the router, Lynn and other researchers at Black Hat said it is possible to carry it out remotely.

Lynn's conference presentation on Wednesday put Cisco and ISS on the defensive. The companies went to court seeking a gag order against Lynn and the Black Hat organizers. The parties reached a deal on Thursday, in which Lynn agreed never to repeat the information he gave at Black Hat. He also has to hand over any Cisco source code in his possession.

In a news conference on Thursday, Lynn said he feels he did the proper thing in exposing the breadth of the flaw. "I did not think the nation's interest was served by waiting another year, when a router worm would be a serious threat," he said.

It is possible with his approach to actually destroy a router, an effect that when multiplied could shut down parts of the Internet or a corporate network, Lynn said. IOS had been perceived to be impervious to such attacks, which is why a wake-up call was needed, Lynn said. The theft of Cisco's IOS source code in May last year also increases the chances that criminals are working on exploits.

Cisco and ISS have said that the research presented by Lynn was incomplete and that the companies were still working to determine the full impact of the exploit.

The Black Hat controversy may be continued on Saturday at the DefCon conference, also in Las Vegas. Another talk on vulnerabilities in the Internet's infrastructure is scheduled, and there has been speculation that the presenter will refer to Lynn's Black Hat session.

Meanwhile, the slides of Lynn's talk--"The Holy Grail: Cisco IOS Shellcode and Remote Execution"--are being offered for public download on several Web sites and have been distributed on at least one security mailing list.