Cisco has patched a flaw in the software used to run its routers and switches, a new twist in the company's dispute with a security researcher that has roiled the security community.
The networking giant on Wednesday released an update to fix a serious heap-overflow vulnerability in its Internetwork Operating System (IOS). This type of security flaw is commonly found in software and often allows a remote attacker to gain control of the affected system. In this case, that would mean control over a Cisco router or switch, which make up the infrastructure of many computer networks, including the Internet.
The newly disclosed flaw in IOS was part of a controversial presentation at the Black Hat security confab in July, but Cisco has been able to keep it under wraps until now.
At Black Hat, security researcher Michael Lynn demonstrated how he could gain control over a router by exploiting security flaws. A widespread attack could seriously disrupt or shut down parts of the Internet or a corporate network, he said. IOS had been perceived as impervious to such attacks and Cisco fought Lynn's disclosure by going to court.
"Through the IPv6 vulnerability disclosed in July, he was able to achieve a heap-overflow attack on system timers," said John Noh, a Cisco spokesman. That flaw, which Cisco provided a fix for in April, was Lynn's way to trigger the heap overflow and commandeer the router, Noh said.
Cisco in July published details on the IPv6 vulnerability that Lynn exploited in his demonstration, but did not disclose the second, more serious, flaw involved in the attack demonstration until Wednesday. The heap overflow is the actual vulnerability that could let an attacker take over a Cisco router or switch.
The scope of the second flaw explains why Cisco went through great lengths to keep it under wraps, said Johannes Ullrich, chief research officer at the SANS Institute. "These serious flaws show why it was so important for Cisco to hold back on the release at Black Hat," he said. "Early, widespread knowledge of this flaw would have been bad."
Users should update as soon as possible, Ullrich said. This can be a tough task, especially at ISPs and organisations that run customised configurations. "Too many times in the past, network operators got burned by bad patches and routers not rebooting correctly. It will take a while to have all this worked out," he said.
In addition to fixing the heap-overflow vulnerability, Cisco in the IOS update raises the security shields of the software. The new version adds more integrity checks designed to foil any future attacks, the company said in a security advisory.
"By taking the safeguards and by strengthening IOS, we're reducing the likeliness of similar attacks using other vulnerabilities that may or may not exist," Noh said. Cisco so far has only substantiated the IPv6 flaw as the only successful attack vector for this heap-overflow vulnerability.
One security researcher applauded Cisco for increasing IOS security. "Cisco deserves credit for not just patching the initial hole, but also strengthening the checks process against other as yet unknown attacks," said Dan Kaminsky of Doxpara Research.
In the wake of Black Hat and Cisco's actions against Lynn, the security community, including Kaminsky, has been critical of Cisco. "But this work appears to make customers safer, and that's something we can all agree is a good thing," Kaminsky said.
Cisco said it is not aware of any attacks that take advantage of the newly disclosed IOS vulnerability. Updates for the many editions of IOS are available from the company's Web site to fix the problem.
Security research outfit FrSIRT rates the newly disclosed heap overflow flaw "critical", it said in an alert.
