Flaw researcher settles dispute with Cisco

Agreement bars further discussion about a presentation on exploiting vulnerabilities in Cisco router software.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
4 min read
LAS VEGAS--The dispute over a presentation on hacking Cisco Systems' router software at the Black Hat security conference culminated in a legal settlement Thursday.

Michael Lynn, a former Internet Security Systems researcher, and the Black Hat organizers agreed to a permanent injunction barring them from further discussing the presentation Lynn gave Wednesday. The presentation showed how attackers could take over Cisco routers, a problem that Lynn said could bring the Internet to its knees.

The injunction also requires Lynn to return any materials and disassembled code related to Cisco, according to a copy of the injunction, which was filed in U.S. District Court for the District of Northern California. The injunction was agreed on by attorneys for Lynn, Black Hat, ISS and Cisco.

Lynn is also forbidden to make any further presentations at the Black Hat conference, which ends Thursday, or the Defcon event that follows it. Additionally, Lynn and Black Hat have agreed never to disseminate a video made of Lynn's presentation and to deliver to Cisco any video recording made of Lynn.

In the first news conference of his life, Lynn on Thursday said that despite all the legal wranglings he faced during the previous day and a half, he made the proper choice in demonstrating an attack on Cisco's router software.

"I think I did the right thing. It was pretty scary, but the real important thing was there was the potential of serious problem," Lynn said. "I did not think the nation's interest was served by waiting another year, when a router worm would be a serious threat."

In his presentation Wednesday, Lynn outlined how to attack Cisco's Internetwork Operating System to gain control over the router running IOS. Cisco routers make up the infrastructure of the Internet. A widespread attack could badly hurt the Internet, according to experts attending Black Hat.

It is possible to actually destroy a router with the approach, Lynn said. Multiplied, that attack could seriously disrupt or shut down parts of the Internet or a corporate network, he said.

"It is one of those cases where software can destroy hardware," Lynn said.

IOS had been perceived as impervious to such attacks, which is why a wake-up call was needed, Lynn said.

"Nobody really considered until Wednesday that this was possible," he said. The theft of Cisco's IOS source code in May last year also increases the chances that criminal hackers are working on exploits, he said.

Aiding in attacks
Lynn acknowledged that his talk may actually help criminals in finding ways to attack Cisco routers.

"I gave maybe 5 percent of the information required to actually do what I did," he said. "The first guy who did it is sort of, in some way, responsible for all the other people who do it."

Several Black Hat attendees suggested that with the information provided by Lynn, skilled security researchers would have little trouble reproducing his attack.

What's important now is that Cisco fixes the underlying problem in IOS and prevents the problem in future versions of the software, Lynn said.

Lynn quit his job as a researcher at ISS to deliver the presentation after ISS had decided to pull the session. Notes on the vulnerability and the talk, "The Holy Grail: Cisco IOS Shellcode and Remote Execution," were removed from the conference proceedings by Cisco, leaving a gap in the thick book.

ISS wanted to cancel the session because the research was premature and would be presented at a later security conference, an ISS representative said Wednesday.

After the talk, Lynn retained attorney Jennifer Granick in the face of legal action by former employer ISS and Cisco. Granick is the executive director of the Stanford Law School Center for Internet and Society.

"Without her help, I would be in some really serious trouble," Lynn said Thursday.

Cisco said in a statement Thursday that it is "gratified" by the agreed injunction. It prevents further disclosure of information that could help create an attack on critical network infrastructure, the San Jose, Calif., networking giant added.

"It is Cisco's opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet," Cisco said.

The company plans to release a security advisory on the issue within the next day, it said.

The actual flaw Lynn exploited for his attack was fixed by Cisco in recent releases of IOS. The latest versions are not vulnerable, Lynn and Cisco said. However, Lynn cautioned in his talk Wednesday that new IOS flaws could be exploited for a similar wide-ranging attack.