North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?)

  • From: Roland Dobbins
  • Date: Fri Apr 28 20:38:13 2000

There was no implication of 'dirty little secrets' intended; on the
contrary, Cisco have been great to deal with on issues of this type, and
very prompt to disseminate security-related information.

I have no problem with Cisco, quite the opposite.  What I have a problem
with is people who point the finger and shout "J'accuse!" from the

You folks at Cisco are extremely forthcoming, and your efforts in this
sphere are much appreciated.

Roland Dobbins <[email protected]> // 818.535.5024 voice

-----Original Message-----
From: Paul Ferguson [mailto:[email protected]]
Sent: Friday, April 28, 2000 4:44 PM
To: Roland Dobbins
Cc: [email protected]
Subject: Re: Cutting to the chase (was RE: ABOVE.NET SECURITY TRUTHS?)

Well, yes, we have been trying to do "due diligence
to ensure that we publicly notify our customers, and
the public at-large, of any known security problems
with our products.

These are not dirty little secrets -- we believe that
our customers deserve to know, as soon as possible, when
we have found vulnerabilities in out products.

As stated in most on the advisories, we post these
security advisories to:

   [email protected]
   [email protected]
   [email protected] (includes CERT/CC)
   [email protected]
   Various internal Cisco mailing lists

Secondly, and to the best of my knowledge, I know
of no instance where the Catalyst enable password
vulnerability has been used by an attacker to exploit
a customer's network.

For further information, see:



- paul

At 02:16 PM 04/28/2000 -0700, Roland Dobbins wrote:

>First of all, there -is- a bug in the Catalyst Supervisor software revision
>5.4.1 which basically disables the functionality of the enable password.
>someone has the login password to the router, they can use the same
>to get to enable mode.  Yes, someone has to either a) get his password
>sniffed internally or b) re-use the password on some external network which
>allows it to get sniffed or c) use a weak and/or easily-guessable password
>for this exploit to be used.  But your blanket statement about the enable
>password on Cisco switches is incorrect.  And while shared segments are
>generally a Bad Thing, there are certain instances in which they make
>See for
>more details.
>Secondly, there's also a bug in the Cisco telnet daemon for IOS 11.3AA,
>12.0(2)-12.0(6) and 12.0(7), excluding 12.0(7)S, 12.0(7)T, and 12.0(7)XE,
>which allows a very easy DoS attacks against routers and switches running
>those revs.  The bug ID is CSCdm70743, and more information can be found at
> .
>Thirdly, 12-series IOSes can make use of ssh, but there are a lot of other
>issues with the 12.x revs (see the above paragraph for an example) which
>have prevented their wide-scale adoption.  Kerberos is certainly an option,
>and a good one, but Monday-morning quarterbacking is really easy,
>when one doesn't have direct knowledge of all the various factors involved,
>nor any responsibility for maintaining the network in question.