"We can be conquered by bombs or subversion; but we can also be conquered by neglect - by ignoring the Constitution and disregarding the principles of limited government." - Barry Goldwater
A vulnerability was identified in Cisco Internet Operating System (IOS), which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a heap overflow error when processing specially crafted packets, which could be exploited by an unauthenticated attacker to execute arbitrary code and compromise a vulnerable device.
Note : The vendor has stated that the research presented by Michael Lynn was not a disclosure of a new vulnerability or a flaw with Cisco IOS software, but an exploration of ways to expand exploitations of existing security vulnerabilities impacting routers.
LAS VEGAS--Brushing off threats of legal action and a broad effort to delete his presentation from conference materials, a security expert told Black Hat attendees on Wednesday that attackers can broadly compromise Cisco routers.
In Response To Mike Lynn's Presentation at Black Hat
Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners. It is important to note that the information presented at the Black Hat Conference today was not a disclosure of a new vulnerability or a flaw with Cisco IOS software. The research presented explores possible ways to expand exploitations of known security vulnerabilities impacting routers. As per Cisco's best practices guidelines, we recommend customers upgrade their software to the latest available versions. Customers should contact their account managers and sales engineers with questions and request for more information. For press inquiries, contact Mojgan Khalili (business press) 408-489-4015 or John Noh (industry trade press) 408-242-3852 For industry analyst inquiries, contact Lisa Caywood 408-857-3642
According to several conference organizers, Lynn had tentatively agreed not to give his talk under pressure from ISS and Cisco officials. On the way to Lynn's talk, a conference attendee showed me a video he recorded of Black Hat organizers tearing out the pages of Lynn's presentation from the conference materials in the hours before the books were handed out to attendees.
A presentation called “The Holy Grail: Cisco IOS Shellcode Remote Execution” was slated to run at the Black Hat conference in Las Vegas this week. But Internet Information Systems and Cisco, the companies presenting the segment, decided to pull the presentation after discussions between the two firms.
