Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] RE: Addressing Cisco Security Issues

from [Michael Reilly] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] RE: Addressing Cisco Security Issues
Date: Mon, 29 Mar 2004 18:10:50 -0800
Not to take sides in this but I ran into a similar thing with my ESP. I could have easily obtained the image but I talked with my ESP. Turns out they have some valid concerns about people downing an image the ESP has not provided. In this case the major concern was making sure the customer got the correct image (there are four different ones available for my 678 and only one of them works with my ISP). They were also concerned about the possibility of an image they haven't tested causing problems with their equipment/network.

I do not have the answer - just pointing out that doing the right thing isn't always simple.

I am not writing for Cisco - just describing my own experience.

michael
Burton M. Strauss III wrote:

Really, your gripe is with Alltel which refused to provide it to you.

Maybe a non-Alltel e-mail account is a red flag, but they certainly should
have been willing to provide it to the contact address they have on your
account.  Whether electronically or via snail mail - I'm SURE they have an
address for you so you can be billed, right???

In Cisco's defense, there are 1000s (10000s? 100000s?) of these units out
there and most of them have ISP specific configurations.  If you apply
generic firmware, you are going to wipe the settings - and Cisco has no way
of knowing how the unit was configured.

Still, it would be best practices for Cisco to provide the generic firmware,
with a document showing how to save and restore the settings.  However, they
may not be contractually able to do so...

-----Burton



I have to post this because I consider this to be a security issue in it's
own right.

Recently there were a number of exploits released for cisco
equipment, among
the affected equipment were the 677 and 678 consumer DSL routers of which
there are millions in use.

I have one such router, the DSL circuit is provided by Alltel and I work 

for

the ISP who provides the actual internet access.

So upon reading recent warning notice sent to the security email lists 

about

the exploits being publicly available I went and read
http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much says
any router running a version of CBOS prior to 2.4.5 (actually you need


2.4.6

because of later exploits) is vulnerable.

So like a good netizen I contacted cisco TAC via telephone, gave them my 

678

serial number and they informed me that they could not provide the 

security

update because my router is registered to alltel (alltel did provide the
router when I ordered the DSL circuit), please call Alltel to
get it. Ok so
then I called Alltel, who told me no problem we can email you the update


and

asked for my email address. Except since Alltel is not the ISP I don't 

have

an alltel email address so then they won't email it to me, please contact
your ISP. I then informed Alltel that I AM MY ISP to which they replied


they

still could not provide the patch and that I would have to get it from
Cisco.

So then I call Cisco TAC again, this time I explain the full details of 

all

I've just been thru and the tech decides to ask someone. Comes back and 

says

if I register on the cisco website that he can open a ticket and get 

someone

to call me back on it. (I'm presently waiting for that call)

In the mean time I decided to google for it and low and behold I found 

2.4.6

on a website (url not posted to protect the life saving individuals who 

put

it on the web). Now of course I've no way to know if this version I just
found is safe or not but HELLO CISCO???

If you are going to issue security alerts that require ISP's and consumers
to patch their hardware devices then you had better damn well make sure


that

folks can actually GET THE PATCHES. It would require no effort at all to
post a bogus version full of back doors and whatnot on the web and after
seeing the nightmare it is to obtain the patch thru official channels it's
clear to me that this would be a very popular download.

Geo.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


--
---- ---- ----
Michael Reilly    michaelr@cisco.com
    Cisco Systems, Santa Cruz, CA


[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [inbox] Re: [Full-Disclosure] RE: new internet explorer exploit (was new worm), Exibar
Next by Date:  Re: [Full-Disclosure] RE: new internet explorer exploit (was new worm), Tim
Previous by Thread:  [Full-Disclosure] RE: Addressing Cisco Security Issues, Burton M. Strauss III
Next by Thread:  [Full-Disclosure] Re: Addressing Cisco Security Issues, Geoincidents
Indexes:  [Date] [Thread] [Top] [All Lists]