Researcher agrees to silence on Cisco flaws

Cisco plans to issue a security advisory 'within the next day'

A security researcher who gave a presentation on vulnerabilities in Cisco Systems routers at this week's Black Hat USA conference has agreed not to further discuss the issue under the terms of a permanent injunction issued by a U.S. federal court.

Cisco plans to issue a security advisory "within the next day," according to a statement the company released on Thursday after the injunction was issued.

Cisco and Internet Security Systems (ISS) sought the injunction on Wednesday against Michael Lynn, who gave the Wednesday morning presentation, and Black Hat, which organized the Las Vegas computer security conference. It was granted on Thursday by Judge Jeffrey White of the U.S. District Court for the Northern District of California, in San Francisco.

All parties involved in the case have agreed to the injunction, effectively putting an end to a dispute that dominated the final two days of Black Hat and diminished the reputation of Cisco and ISS in the eyes of many attendees.

ISS had originally replaced the presentation, entitled "The Holy Grail: Cisco IOS Shellcode and Remote Execution," with a different one and had ensured the presentation materials were torn out of a book that was part of the materials given out at the Black Hat show.

But Lynn, a research analyst at ISS, quit his job at ISS and gave the presentation anyway.

"The information that Mr. Lynn disclosed at the conference, we believe was illegally obtained, and included Cisco intellectual property," said Cisco spokesman John Noh.

Lynn described a now-patched flaw in the Internetwork Operating System (IOS) software used to power Cisco's routers, and demonstrated a buffer-overflow attack in which he took control of a router. Although Cisco was informed of the flaw by ISS, and patched its firmware in April, users running older versions of the company's software are at risk, he said.

Among other things, the injunction issued Thursday blocks Lynn from disclosing or disseminating any part of the presentation, disseminating any video recording of the presentation, or disassembling or reverse engineering Cisco code in the future.

Cisco had sought the injunction "to stop continued irresponsible public disclosure of illegally obtained proprietary information," it said in a statement.

At a news conference Thursday afternoon, Lynn admitted that he had converted some of Cisco's binary code into a human-readable form, a process called reverse-engineering. But he disputed the idea that this was an illegal practice. "It's generally speaking not illegal to reverse engineer for security reasons," he said.

Many end-user license agreements, including Cisco's, prohibit reverse-engineering.

Lynn said the attention that the case drew will push Cisco to improve the security of its routers. "I think I did the right thing. It was pretty scary, but the real important message was [that] there was a potential or serious problem coming in the future. It wasn't too late to fix it, but you had to take it seriously," Lynn said.

"I didn't think the nation's interests were served by waiting until another year, until a router worm would be a serious threat," he said.

Cisco welcomed the injunction.

"Cisco's actions with Mr. Lynn and Black Hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure. It is Cisco's opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the Internet," the company said in its statement.

By pointing out the possibility of a worm attack on Cisco's routers, Lynn has performed a valuable service, said Black Hat attendee James Pearl, a consultant with Booz Allen Hamilton.

He did not have kind words for Cisco, and said the networking giant's attitude toward security might ultimately be bad for Cisco's business. "Security through obscurity doesn't work. You can stick your head in the sand but your butt's in the air," he said. "Do I really want to go with a company like Cisco that had to hide their problems?"

But Lynn's former employer, ISS, came out "the real loser in this," he said. "They've lost somebody really good, and everybody's saying, 'You didn't stand up for your guy.'"

Copyright © 2005 IDG Communications, Inc.