Cisco Patches Amidst Uproar
The company fixes the software, but its methods to silence the vulnerability before the patch was released has raised eyebrows.
Cisco and Internet Security Systems (ISS) on Thursday filed for, and received, a permanent injunction against Michael Lynn, a former ISS researcher, and Black Hat, the company hosting the popular Black Hat Conference.
The company Friday published the ''IPv6 Crafted Packet Vulnerability'' fix on its Web site and said it has a limited impact on its product line.
The vulnerability affects a small subset of Cisco devices, those using the company's IOS with IPv6 support enabled.
Those IOS-run devices with IPv6 disabled are safe from the vulnerability, the Cisco security advisory states. Network administrators can check to see whether their systems have the technology enabled by using the ''show ipv6 interface'' command: a blank output means IPv6 is disabled or unsupported on the system.
For the devices running IPv6, however, the vulnerability could cause the system to be flooded by a denial-of-service attack, requiring the system to reload its network neighbor discovery process.
A specially crafted IPv6 packet also could open the door to remote execution by malware writers.
Administrators who install the patch are safe from the attack.
The real news behind the vulnerability was Cisco's reaction to Lynn's speech at the Black Hat conference, where he detailed the vulnerability to conference attendees.
The company's decision to prohibit the former ISS researcher from talking about the subject came across as heavy-handed to many in the Internet community.
Techdirt.com was one of several Web blogs that noted that Cisco's strategy to keep its security vulnerabilities under wraps backfired. The extreme measures taken to silence Lynn, the blog entry stated, just convinced everyone that Cisco was really worried about the problem.
Mike Masnick, Techdirt president, said that if a researcher believes there is enough public information about the vulnerability, it makes absolute sense to go public with the information.
''Not doing so puts people at a higher risk, since they don't realize the system they're using is both insecure and actively being attacked,'' he said in an e-mail.