Bugtraq mailing list archives
Re: Cisco 675 Denial of Service Attack
From: Shane Youhouse <Shane.Youhouse () GOODMANMFG COM>
Date: Fri, 1 Dec 2000 11:42:26 -0600
Hi all,
Yes, we were given plenty of notice on this issue, and from the outside it may look like we've ignored the issue. We had an advisory scheduled on this issue two weeks ago which was delayed due to availability of fixed
code. I find it hard to stomache a company that takes 11 months to issue an advisory. That is just bad business. I have seen people talking about this exploit for months on IRC, and have witnessed it happening to customers routers for a couple months now. It is in the wild.
Cisco's PSIRT team does read Bugtraq carefully, and we've taken much of the
criticisms and recent discussions to heart, and are constantly reviewing our policies & procedures for improvements. We very much want to do the right thing for our customers and the community at large. It can be difficult to maintain a proper perspective, and a gracious attitude to those in the community doing testing and reporting. Some days it feels like "they're out to get us", which is entirely the wrong attitude, but it happens.
The real issue here is that you knew about it, and didn't do anything for 11 months about it, and STILL haven't done anything to fix it, at least that the customers can see / tell. What about my people that I work for / with who are going down for "unobvious" reasons. Cisco handled this problem about as poorly as could be.
CDI did notify us of this problem in January, I personally worked on the problem, but was unable to reproduce the problem. It was not obvious upon code review what could have been happening. As other things that were reproducible came up, my attention was focused elsewhere. Another colleague picked up the issue and was able to reproduce the problem. It came down to a difference in the telnet clients we used. That took several
months, unfortunately.
Did you ask CDI to help? Did he refuse? The timeframe is unexcuseable. 11 months, and still no fix, for something that is causing downtime for both personal and corporate internet connections. Would we expect the same kind of timeframe on the Catalyst 6500 I am contemplating purchasing?
When we finally found that vulnerability, we also identified a couple of other security issues with the box. We chose to fix all the issues at the same time, rather than forcing folks to upgrade for security issues on two separate advisories very close together.
I would, and my customers would, rather have to flash the ROM a couple times in a couple months, rather than have Cisco just issue one update. Might make it easier on Cisco, but it did not a thing to help my customers, nor me.
So we will have a full advisory on this issue, and a couple of other issues
shortly.
I need to know, is it going to be Cisco's policy to keep disclosures private so they can roll a bunch of bugfixes into a new IOS, or can we expect to get the fixes quickly and as soon as possible. To me, waiting months, just so we don't have to flash the router / switch / etc. more than once is terrible. If this is going to be policy, I will rethink my change from 3Com to Cisco.
This issue did take a long time to disclose, and due to this problem we are
reviewing our policies to determine what we should do differently in the future.
CDI was far more than patient with us, and our team appreciates CDI working
with us. It is a fine balance of ensuring that we notify our customers as expeditiously as possible, while delivering quality fixes.
CDI should have gone public with this about 10 1/2 months ago. Yes, more script kiddies would have known about it, but I also would have been complaining to the ISPs who where forcing the Cisco product on us to either get a new product, or would have gone with a different ISP / Router.
Thanks much,
Lisa Napier Product Security Incident Response Team Cisco Systems
Sorry for the tone of this email, but I find what Cisco did totally unexcuseable. ./end rant Shane Youhouse Sr. Wan Engineer Goodman MFG
Current thread:
- Re: Cisco 675 Denial of Service Attack Nate Haugo (Dec 01)
- <Possible follow-ups>
- Re: Cisco 675 Denial of Service Attack Nicholas Ianelli (Dec 01)
- Re: Cisco 675 Denial of Service Attack Lisa Napier (Dec 02)
- Re: Cisco 675 Denial of Service Attack poke (Dec 02)
- Re: Cisco 675 Denial of Service Attack Erik Parker (Dec 02)
- Re: Cisco 675 Denial of Service Attack Kee Hinckley (Dec 05)
- Re: Cisco 675 Denial of Service Attack CDI (Dec 02)
- Re: Cisco 675 Denial of Service Attack Erik Parker (Dec 02)
- Re: Cisco 675 Denial of Service Attack poke (Dec 02)
- Re: Cisco 675 Denial of Service Attack Shane Youhouse (Dec 02)
- Re: Cisco 675 Denial of Service Attack CDI (Dec 05)
- Re: Cisco 675 Denial of Service Attack J Edgar Hoover (Dec 05)
- Message not available
- Re: Cisco 675 Denial of Service Attack Damir Rajnovic (Dec 06)
- Re: Cisco 675 Denial of Service Attack J Edgar Hoover (Dec 07)
- Message not available
- Re: Cisco 675 Denial of Service Attack Damir Rajnovic (Dec 07)