Full Disclosure mailing list archives
RE: Addressing Cisco Security Issues
From: "Burton M. Strauss III" <security () SmallNetSolutions com>
Date: Mon, 29 Mar 2004 18:29:46 -0600
Really, your gripe is with Alltel which refused to provide it to you. Maybe a non-Alltel e-mail account is a red flag, but they certainly should have been willing to provide it to the contact address they have on your account. Whether electronically or via snail mail - I'm SURE they have an address for you so you can be billed, right??? In Cisco's defense, there are 1000s (10000s? 100000s?) of these units out there and most of them have ISP specific configurations. If you apply generic firmware, you are going to wipe the settings - and Cisco has no way of knowing how the unit was configured. Still, it would be best practices for Cisco to provide the generic firmware, with a document showing how to save and restore the settings. However, they may not be contractually able to do so... -----Burton
I have to post this because I consider this to be a security issue in it's own right. Recently there were a number of exploits released for cisco equipment, among the affected equipment were the 677 and 678 consumer DSL routers of which there are millions in use. I have one such router, the DSL circuit is provided by Alltel and I work
for
the ISP who provides the actual internet access. So upon reading recent warning notice sent to the security email lists
about
the exploits being publicly available I went and read http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much says any router running a version of CBOS prior to 2.4.5 (actually you need
2.4.6
because of later exploits) is vulnerable. So like a good netizen I contacted cisco TAC via telephone, gave them my
678
serial number and they informed me that they could not provide the
security
update because my router is registered to alltel (alltel did provide the router when I ordered the DSL circuit), please call Alltel to get it. Ok so then I called Alltel, who told me no problem we can email you the update
and
asked for my email address. Except since Alltel is not the ISP I don't
have
an alltel email address so then they won't email it to me, please contact your ISP. I then informed Alltel that I AM MY ISP to which they replied
they
still could not provide the patch and that I would have to get it from Cisco. So then I call Cisco TAC again, this time I explain the full details of
all
I've just been thru and the tech decides to ask someone. Comes back and
says
if I register on the cisco website that he can open a ticket and get
someone
to call me back on it. (I'm presently waiting for that call) In the mean time I decided to google for it and low and behold I found
2.4.6
on a website (url not posted to protect the life saving individuals who
put
it on the web). Now of course I've no way to know if this version I just found is safe or not but HELLO CISCO??? If you are going to issue security alerts that require ISP's and consumers to patch their hardware devices then you had better damn well make sure
that
folks can actually GET THE PATCHES. It would require no effort at all to post a bogus version full of back doors and whatnot on the web and after seeing the nightmare it is to obtain the patch thru official channels it's clear to me that this would be a very popular download. Geo.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- new internet explorer exploit (was new worm) Jelmer (Mar 29)
- Addressing Cisco Security Issues Geo. (Mar 29)
- Re: Addressing Cisco Security Issues Jason Dodson (Mar 29)
- Re: Addressing Cisco Security Issues Micheal Patterson (Mar 29)
- Re: Re: Addressing Cisco Security Issues Exibar (Mar 29)
- RE: Addressing Cisco Security Issues Burton M. Strauss III (Mar 29)
- Re: RE: Addressing Cisco Security Issues Michael Reilly (Mar 29)
- Re: Addressing Cisco Security Issues Geoincidents (Mar 29)
- Re: Addressing Cisco Security Issues Jason Dodson (Mar 29)
- Re: Addressing Cisco Security Issues Clayton Kossmeyer (Mar 29)
- Re: Re: Addressing Cisco Security Issues Luke Norman (Mar 29)
- Re: Addressing Cisco Security Issues Geoincidents (Mar 29)
- RE: Addressing Cisco Security Issues Lou Zirko (Mar 29)
- Re: Addressing Cisco Security Issues neal rauhauser (Mar 29)
- Addressing Cisco Security Issues Geo. (Mar 29)
- AW: new internet explorer exploit (was new worm) Ron Stiemer (Mar 29)
- Message not available
- Re: new internet explorer exploit (was new worm) Nick FitzGerald (Mar 30)
- <Possible follow-ups>
- RE: new internet explorer exploit (was new worm) Drew Copley (Mar 29)