Black Hat presentation yields another Cisco bug

Cisco has discovered and patched a critical vulnerability in its routers related to a controversial presentation given at the Black Hat USA conference.

Cisco Systems has discovered a critical bug in the operating system used to power its routers, the company announced Wednesday. The flaw is the second serious problem that Cisco has found in its routers' Internetwork Operating System (IOS) that is related to a controversial security presentation given at the Black Hat USA security conference in July of this year.

The flaw, rated "critical" by the French Security Incident Response Team, has to do with the system timers that IOS uses to run certain operating system tasks. Under certain conditions, attackers may be able to take control of the router by tricking the system timers to run malicious code, Cisco said in a security advisory.

Cisco has published a patch for this vulnerability, which has not yet been exploited by hackers, the company said. The bug was discovered "as a result of continued research to the demonstration of the exploit of another vulnerability which occurred in July 2005 at the Black Hat USA Conference," the advisory states.

That problem was disclosed by security researcher Michael Lynn, who was forced to quit his job as a research analyst with Internet Security Systems Inc., and then sued for disclosing the problem. The lawsuit was quickly settled, when Lynn agreed to quit discussing the matter.

Shortly after Lynn's presentation, Cisco published an IOS patch that addressed the IPV6 attack he had described.

To take over a Cisco router, attackers would need to successfully take advantage of both the earlier IPV6 problem and the system timer bug disclosed today, said John Noh, a Cisco spokesman. "In order to exploit the issue we're talking about today, you needed an additional way to attack," he said.

Without proof that it can actually be exploited, Cisco's latest bug is not particularly worrisome, said Russ Cooper, editor of the NTBugtraq newslist and a scientist with security vendor Cybertrust Inc. "My take on it that it was just another vulnerability," he said.

But should someone figure out a way of taking over Cisco's widely used routers, that could clear the way for a particularly devastating attack on the Internet.

Lynn said that the potential consequences of such an IOS attack were so grave that he had felt compelled to give his Black Hat presentation. "IOS is the Windows XP of the Internet," he said during his presentation.

Cisco's security advisory is here: http://www.cisco.com/warp/public/707/cisco-sa-20051102-timers.shtml

Cisco's IOS patch is published here: http://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml

Show Comments