Cisco vulnerability protagonist Lynn interview vro is a time bomb

After Michael Lynn, a security researcher, resigned from ISS (Internet Security System), despite the obstruction of Cisco and ISS, last Wednesday, a Black Hat Security Conference demonstrated how to use vulnerabilities to attack and control Cisco routers, which aroused an uproar in the industry, and the public image of Cisco and ISS also plummeted.

On the second day after the meeting, Lynn reached a settlement agreement with Cisco and ISS. He agreed to delete research materials on the vulnerability and did not disclose specific methods to achieve the attack, the demo is no longer distributed. (In fact, Lynn uses a 35-page slide, The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques, during The presentation: cisco IOS operating system Shell code and attack technology) has been spread online in the form of PDF files. This article roughly introduces the technology of using Stack Overflow to obtain Shell permissions. This vulnerability allows attackers to further attack after obtaining Shell permissions. Lynn did not discover this vulnerability, but invented a method to use this vulnerability to obtain Shell permissions. The second page of this slide compares Cisco to the Titanic, alerting Cisco users .)

Lynn became a tech celebrity overnight and is still facing a us fbi investigation. In an exclusive interview with a website in the United States, Lynn described the ins and outs of the incident and its impact on Internet security.

1) Can you first introduce the cause of this incident? Did your company's ISS ask you to reverse engineer Cisco's IOS OS?

Yes, ISS clearly requires me to do this. On July 15, January 26, Cisco just announced the discovery of a vulnerability, which is totally different from the one I demonstrated. They described the vulnerability as follows: "sending a specially crafted IPv6 packet to the router will cause the router to restart ". But their statement is vague, just saying "hi! An IPv6 problem will cause the router to restart. "It does not indicate whether you can control the situation.

ISS hopes that the company's products and users will not be affected by this vulnerability, so it calls Cisco to learn more details, but Cisco does not want to provide relevant information. "Can you reverse engineer and analyze Cisco's IOS operating system to see what is going on with this vulnerability ?"

2) So what is the difference between this vulnerability and the one you demonstrated at a black hat meeting?

Different. However, Cisco discovered the vulnerability demonstrated at the black hat meeting two weeks earlier than me.

3) then what happened?

After analyzing the vulnerability, I found that the other vulnerability was a great threat. The next day, that is, July 22, January 27, ISS provided security suggestions to users based on my analysis results.

After analysis, I realized that the IOS operating system was more serious than Cisco said. The company (ISS) called Cisco and said, "We are not sure that we have discovered the vulnerability you announced. But the vulnerability we discovered is very important because it is much more destructive. You said this vulnerability may cause a denial of service attack, and the attacker who successfully exploited this vulnerability can completely control the affected system ."

Cisco replied: "You guys are lying. It is impossible for Cisco to execute Shell code in the IOS operating system ." The company's senior management was annoyed and said to me, "Mike, your new research project is Cisco's IOS operating system. Find a way to exploit ios OS vulnerabilities so that we can prove that they are wrong ."

4) You said that reverse engineering was assisted by Cisco.

Yes. However, cooperation was a matter of time. They were not very happy at first, and they were not really assisting in reverse engineering. They only cooperated in discovering and determining vulnerabilities.

5) They didn't stop you from doing this either.

No. We have made a lot of communication. (Lynn has been studying Cisco's IOS operating system for the next month .)

6) when you find a way to use this critical vulnerability to attack Cisco, tell Cisco, "this is the vulnerability we found...", what are their reactions?

They said, "We don't believe it ." "If you don't believe it, come to Atlanta. Let's demonstrate it to you ." ISS has never done this before-they will not allow outsiders to come to their offices and present product vulnerabilities to each other, let alone competitors. So Cisco sent a Customer Service Manager, Mike Caudill, and a self-proclaimed ios OS architect who designed some IOS source code. After reading my demo, the latter was shocked and surprised to see the chin falling down. He just said, "Wow, it's so cool ." That day is July 22, June 14.

7) cisco has seen your demo long before deciding to prevent you from spreading the demo. When?

It may be June 14, the day when they arrived in Atlanta. However, we have already told them about this vulnerability before.

8) How tight Does Cisco have for your demonstration at a black hat meeting?

When they saw the demonstration notice on the black hat conference website (www.blackhat.com), they called us and said, "Hello ~~ Wait. Aren't you serious ?" Let's just say, "Yes, of course it is serious ." By the way, it is the demonstration Application submitted by ISS to the Black Hat security meeting. ISS said to me, "Hi, do you want to attend a black hat meeting? We want you to go ."

9) ISS understands the severity of the vulnerability.

Yes, they know exactly. However, they didn't realize the severity of the problem at the beginning and wanted to distribute the vulnerability information within the company. The company asked me to "Send the materials to all sales engineers and testers ."

10) Why does ISS want you to do this?

This can be used to combat rival Cisco. Please note that Cisco has not published the information yet. This information is of no use to testers. Because the vulnerabilities have not been published, they cannot provide users with relevant security suggestions.

I told them, "Do you really know the consequences of this vulnerability ?" One of them replied, "That's Cisco ." The other person turned and said to me, "Cisco is also suffering from this vulnerability, which is their Witty worm ." I thought it was not a good task to attend a black hat meeting.

(Last year, the Witty worm targeted at the vulnerability in the Security Program of the ISS company and attacked the computer system running the Security Program, especially the military base running the program. At that time, 12000 servers and computers were infected with the worm within an hour. Given that the worm is spreading fast and that the worm author is familiar with ISS customers, some security experts speculate that the people who write and spread the worm are internal staff of ISS, or at least associate with ISS .)

So I refused to attend the black hat meeting. They forced me to go and I offered to them to resign on the spot. This was about a month ago.

I think they are immoral. I still don't want people to know the attack methods of this vulnerability. (Then, ISS was forced to promise Lynn the right to know the details of the vulnerability attack and persuade Lynn not to resign and attend the black hat meeting .)

So we started preparing for the demonstration at the black hat meeting. After we contacted Cisco, Cisco also agreed.

11) They posted information about your demo before your demo, right?

Yes, there are patches. The patch came out six months before it was released.

12) So they knew the severity of the problem.

[1] [2] Next page

Article entry: csh responsible editor: csh

Even if they really don't know, they should know.

13) Cisco did not indicate to its users the severity of the vulnerability.

Yes, they do not.

14) cisco has seen your demo before deciding to block you from attending a black hat meeting, right?

It may be June 14. The day they came to Atlanta.

Two weeks ago, ISS told me that Cisco wanted to talk to me. I said that Cisco is willing to talk to them as long as it doesn't say "he is lying. In fact, this is no big deal. ISS trusted me and asked me to attend the black hat conference, which is good because I think cisco should take my demonstration seriously.

(However, things have changed dramatically. The ISS command Lynn cannot mention reverse engineering in the demo; otherwise, this demo will be canceled. If not, he will be dismissed by the company .)

The development has now turned to another 180-degree bend. About a week ago, on the evening of the end of the company's fiscal quarter, everyone was excited to celebrate the company's performance hitting a new high. The company's chief executive officer was very tough on me when he invited me to have a beer talk.

15) Does Cisco threaten ISS?

I bluntly asked, "Is cisco threatening you ?" They said no. Honestly, I don't think there are any legal threats. I think there is a tacit understanding between Cisco and ISS, more like "you respect me, I still want to see you ".

(Cisco asked Lynn to demonstrate this vulnerability one year later after the launch of a new version of the IOS operating system. Cisco threatened to sue Lynn and black hat for meetings as he refused to give up his claim. Cisco then withdrew Lynn's slides from the black hat conference book with the tacit consent of the black hat meeting .)

16) after your demonstration, I met with the FBI and someone gave you a challenge coin (a special coin used by the army to commemorate the challenging task). Is that true?

Yes, this is an interesting episode. I didn't know the meaning of the coin at the time. I didn't really appreciate it. After my demonstration, he came to me with a very conspicuous badge and said, "I want to talk to you. Now !"

17) What is his department?

Many departments attended my demonstration. He claimed to be from the Air Force Special Investigation Office of the National Security Agency, but did not show me his creden. They took me to the maintenance area, and I was strictly surrounded by a group of people. One of them asked another, "is the car ready ?" I was shocked and shouted, "Oh, my God"-they thought they were going to take me away. They hurriedly said, "We're just kidding! Haha, we thank you for being too late ." I was so scared that I sat there motionless. They all came and shook hands with me.

They also read my demo because I learned in advance that I would do anything that would cause serious consequences. Once I understand that I am actually providing them with useful information about potential threats, they will use all their likes to praise me. The US Computer Emergency Response Team (CERT) also asked me if I would like to spend a week or two in Washington to help them develop their national cyber security strategy.

18) the new version of the Cisco router operating system is still in Beta testing.

It adopts a better architecture, but its security performance is worse. This is why I have made the truth public, rather than covering it up. I think this vulnerability can be fixed.

The problem now is that if you want to launch a regular attack, you must first black out a machine before you can control the network of the machine. If you can take advantage of the beta version of the IOS operating system, you can control everything.

Currently, no user has patched Cisco routers, because we all have this idea that Cisco products will not go wrong. Therefore, unless a serious security accident occurs, people will not install patches. It's time to change their misconceptions. Cisco should not hide its ears, spoof users, and delay time; instead, it should face it and face it before there is a serious problem.

19) Cisco said the vulnerability you discovered was not serious.

I cannot fully agree with this statement. Yes, computers have vulnerabilities, and routers are no exception-they will all be hacked. Errors occur in any complex system. This is their nature.

However, I firmly disagree with the view that attacks such as router worms are not a great threat. After hackers control the computer, it is difficult to destroy the hardware, but the router is different.

After a vro is attacked, the network is paralyzed. How do you patch the vro? How can I mail a patch disc? This does not work. The Router does not have a optical drive.

Routers with security risks are like time bombs on the Internet. Fortunately, we still have enough time to solve this problem. I hope people will be alert and take actions accordingly. But at the same time, I think people are a little awakened now. The situation is not as bad as you think, because the new version that cannot be controlled by the situation has not yet been released.

Previous Page [1] [2]

Article entry: csh responsible editor: csh