Cisco researcher quits to expose critical IOS flaws

Cisco Systems and Internet Security Systems jointly sued a researcher who presented data on vulnerabilities in Cisco router software at the Black Hat Briefings in Las Vegas.

The companies filed a request for a temporary restraining order against Michael Lynn, a former ISS researcher, and the organizers of the Black Hat conference, said John Noh, a Cisco spokesman.

"Cisco and ISS believe that the information Mr. Lynn presented contained intellectual property belonging to Cisco and ISS, which he obtained illegally," Noh said.

The suit seeks to bar Lynn and Black Hat organizers from further disseminating the information, he said.

Later on Thursday, U.S. District Court Judge Jeffrey White issued a permanent injunction against Lynn and Black Hat Inc. from further disclosure of the information. The injunction also orders Lynn to return any decompiled Cisco code and to identify anyone to whom he disclosed his presentation, excepting those who only attended his conference session.

ISS had cancelled Lynn's presentation, "Holy Grail: Cisco IOS Shellcode and Remote Execution," on Monday but he went ahead with his talk, said Angela Frechette, ISS spokeswoman

"ISS had made a decision to not move forward with the presentation because it needed more research before going public," Frechette said.

Lynn resigned his position at ISS an hour before giving the talk at the annual Black Hat conference on Wednesday. His presentation, which drew a packed crowd, showed how attackers could exploit flaws in Cisco Internetwork Operating System (IOS) to take over routers.

Frechette said ISS had asked Black Hat organizers to remove Lynn's presentation from conference proceedings, which was done.

Noh said Cisco and ISS had been talking about the issue for a while and agreed that Lynn's presentation needed additional research. Based on that discussion, ISS requested that Black Hat organizers hold off on the session, he said.

Black Hat representatives would not comment Thursday morning.

Lynn's talk did not disclose new vulnerabilities but rather new ways to explore existing vulnerabilities, Noh said. He said Cisco's standard advice to customers is to upgrade their software to the latest versions.

In a press conference late Thursday, Lynn said he went ahead with his presentation because it was important for people to understand that vulnerabilities could be seriously exploited on the network infrastructure.

"It was the right thing to do. It was worth the trouble I was going to go through," he said, adding that he did not disclose vulnerability details.

"What's really important here is that we get the problem fixed before it gets to the level of where there's a worm," Lynn said.

He said that he advised attendees that if they kept up to date on their patches, they would probably be fine.

A system administrator who attended Lynn's session said he was impressed.

"First, it was impressive he had the guts to go through with it," said the system administrator, who requested anonymity. "Also impressive were the technical aspects."

"He was clear, up front, that he wasn't trying to give an exploit for script kiddies," he added. "He was leaving out certain critical information."

In a statement, Cisco said it was gratified by the court's actions:

"Cisco's actions with Mr. Lynn and Black hat were not based on the fact that a flaw was identified, rather that they chose to address the issue outside of established industry practices and procedures for responsible disclosure. It is Cisco's opinion that the method Mr. Lynn and Black Hat chose to disseminate this information was not in the best interest of protecting the internet."

Cisco said it plans to issue a security advisory to its customers within the next day.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.