|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Cisco IOS Exploit Cover Up
Thus spake "James Baldwin" <[email protected]> Moreover, the fix for this was already released and you have not been able to download a vulnerable version of the software for months however there was no indication from Cisco regarding the severity of the required upgrade. That is to say, they knew in April that arbitrary code execution was possible on routers, they had it fixed by May, and we're hearing about it now and if Cisco had its way we might still not be hearing about it.Cisco's policy, as best I can tell, is that they patch security holes immediately but delay notification until either (a) six months pass, or (b) an exploit is seen in the wild. The former is intended to give customers ample time to upgrade to patched versions (often without their knowledge) without tipping their hand to the "bad guys". However, a CERT advisory is prepared and ready for immediate distribution if the latter occurs. There are network engineers that knew, but they couldn't admit it due to NDAs. This is one of the benefits of buying "high touch" support contracts -- and Cisco is not alone in that model.How many network engineers knew there was a potential problem of this magnitude at the beginning of May? If, knock on wood, someone had released this code into the wild then how many networks who have been vulnerable despite the availability of a fix? S Stephen Sprunk "Those people who think they know everything CCIE #3723 are a great annoyance to those of us who do." K5SSS --Isaac Asimov
|