Cisco wouldn't be the first nor the last to do that, with all gear if
you have to buy support to get patches and other software or firmware
updates, but to be fair to Cisco TAC they are normally very helpful and
put you in contact with the right person to help you out.
-----Original Message-----
From: Jason Dodson [mailto:mindchild@yahoo.com]
Sent: Monday, March 29, 2004 2:36 PM
To: Geo.; full-disclosure@lists.netsys.com; bugtraq@securityfocus.com
Subject: Re: Addressing Cisco Security Issues
I have had a similar run-around with AT&T Broadband and Sprint a while
back, pertaining to a DoS attack my organization was experiencing. Not
to dive into details, to resolve the issue, I got them both on the line
in a 3-way conversation, and it was taken care of in less then 5
minutes.
They didn't seem to eager to shrug off the responsibility to someone
else, when that someone else was right there on the phone.
Jason Dodson
--- "Geo." <geoincident1@getinfo.org> wrote:
I have to post this because I consider this to be a security issue in
it's own right.
Recently there were a number of exploits released for cisco equipment,
among the affected equipment were the 677 and 678 consumer DSL routers
of which there are millions in use.
I have one such router, the DSL circuit is provided by Alltel and I
work for the ISP who provides the actual internet access.
So upon reading recent warning notice sent to the security email lists
about the exploits being publicly available I went and read
http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much
says any router running a version of CBOS prior to 2.4.5 (actually you
need 2.4.6 because of later exploits) is vulnerable.
So like a good netizen I contacted cisco TAC via telephone, gave them
my 678 serial number and they informed me that they could not provide
the security update because my router is registered to alltel (alltel
did provide the router when I ordered the DSL circuit), please call
Alltel to get it. Ok so then I called Alltel, who told me no problem
we can email you the update and asked for my email address. Except
since Alltel is not the ISP I don't have an alltel email address so
then they won't email it to me, please contact your ISP. I then
informed Alltel that I AM MY ISP to which they replied they still
could not provide the patch and that I would have to get it from
Cisco.
So then I call Cisco TAC again, this time I explain the full details
of all I've just been thru and the tech decides to ask someone. Comes
back and says if I register on the cisco website that he can open a
ticket and get someone to call me back on it. (I'm presently waiting
for that call)
In the mean time I decided to google for it and low and behold I found
2.4.6 on a website (url not posted to protect the life saving
individuals who put it on the web). Now of course I've no way to know
if this version I just found is safe or not but HELLO CISCO???
If you are going to issue security alerts that require ISP's and
consumers to patch their hardware devices then you had better damn
well make sure that folks can actually GET THE PATCHES. It would
require no effort at all to post a bogus version full of back doors
and whatnot on the web and after seeing the nightmare it is to obtain
the patch thru official channels it's clear to me that this would be a
very popular download.
Geo.
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
