Re: Cisco 675 Denial of Service Attack

[Shane Youhouse <Shane.Youhouse () GOODMANMFG COM>]

> Hi all,

> Yes, we were given plenty of notice on this issue, and from the outside it
> may look like we've ignored the issue.  We had an advisory scheduled on
> this issue two weeks ago which was delayed due to availability of fixed
code.

I find it hard to stomache a company that takes 11 months to issue an
advisory.  That is just bad business.  I have seen people talking about
this exploit for months on IRC, and have witnessed it happening to
customers routers for a couple months now.  It is in the wild.

> Cisco's PSIRT team does read Bugtraq carefully, and we've taken much of the

> criticisms and recent discussions to heart, and are constantly reviewing
> our policies & procedures for improvements.  We very much want to do the
> right thing for our customers and the community at large.  It can be
> difficult to maintain a proper perspective, and a gracious attitude to
> those in the community doing testing and reporting.  Some days it feels
> like "they're out to get us", which is entirely the wrong attitude, but it
> happens.

The real issue here is that you knew about it, and didn't do anything
for 11 months about it, and STILL  haven't done anything to fix it, at
least that the customers can see / tell.

What about my people that I work for / with who are going down for
"unobvious" reasons.

Cisco handled this problem about as poorly as could be.

> CDI did notify us of this problem in January, I personally worked on the
> problem, but was unable to reproduce the problem.  It was not obvious upon
> code review what could have been happening.  As other things that were
> reproducible came up, my attention was focused elsewhere.  Another
> colleague picked up the issue and was able to reproduce the problem.  It
> came down to a difference in the telnet clients we used.  That took several

> months, unfortunately.


Did you ask CDI to help?

Did he refuse?

The timeframe is unexcuseable.  11 months, and still no fix, for something
that
is causing downtime for both personal and corporate internet connections.

Would we expect the same kind of timeframe on the Catalyst 6500 I am
contemplating
purchasing?


> When we finally found that vulnerability, we also identified a couple of
> other security issues with the box.  We chose to fix all the issues at the
> same time, rather than forcing folks to upgrade for security issues on two
> separate advisories very close together.


I would, and my customers would, rather have to flash the ROM a couple times
in
a couple months, rather than have Cisco just issue one update.

Might make it easier on Cisco, but it did not a thing to help my customers,
nor
me.



> So we will have a full advisory on this issue, and a couple of other issues

> shortly.

I need to know, is it going to be Cisco's policy to keep disclosures private
so
they can roll a bunch of bugfixes into a new IOS, or can we expect to get
the
fixes quickly and as soon as possible.  To me, waiting months, just so we
don't
have to flash the router / switch / etc. more than once is terrible.

If this is going to be policy, I will rethink my change from 3Com to Cisco.


> This issue did take a long time to disclose, and due to this problem we are

> reviewing our policies to determine what we should do differently in the
> future.

> CDI was far more than patient with us, and our team appreciates CDI working

> with us.  It is a fine balance of ensuring that we notify our customers as
> expeditiously as possible, while delivering quality fixes.


CDI should have gone public with this about 10 1/2 months ago.

Yes, more script kiddies would have known about it, but I also would have
been
complaining to the ISPs who where forcing the Cisco product on us to either
get
a new product, or would have gone with a different ISP / Router.


> Thanks much,

> Lisa Napier
> Product Security Incident Response Team
> Cisco Systems


Sorry for the tone of this email, but I find what Cisco did totally
unexcuseable.

./end rant


Shane Youhouse
Sr.  Wan Engineer
Goodman MFG