Cisco 'Cover Up' Ignites Black Hat Controversy

A deal between Cisco and Internet Security Systems to pull a talk about Cisco vulnerabilities at the Black Hat conference in Las Vegas Wednesday has attendees crying cover up and

July 27, 2005

2 Min Read
Network Computing logo

A deal between Cisco and Internet Security Systems to pull a talk about Cisco vulnerabilities at the Black Hat conference in Las Vegas Wednesday has attendees crying cover up and led to the resignation of a prominent researcher.

Security experts view Black Hat as the premier event to discuss and explore Internet vulnerabilities. At this year’s event, Michael Lynn, a member of ISS’ X-Force R&D team, gave a talk Wednesday on vulnerabilities in Cisco’s IOS, but he did so only after resigning from ISS, according to a company spokesperson.

In the conference agenda, Lynn’s presentation was billed as an exploration of the feasibility of code execution against Cisco routers. Cisco’s IOS, the operating system that runs the San Jose, Calif.-based networking giant’s routers, has been perceived as impervious to remote execution of arbitrary code from stack and heap overflows, the agenda said.

Buzz of the controversy first started when attendees arrived at the conference to find Lynn’s 30-page presentation ripped from the conference materials. Despite the conference materials being removed, Lynn delivered the talk unchanged, said an ISS spokesperson.

Cisco Systems and ISS came to an agreement to cancel the talk and remove the presentation from the conference materials, the companies said. A Cisco spokesperson added that there was no "cover up" of new vulnerabilities. Cisco and ISS plan to research the vulnerabilities further and disclose them in the proper forum at a later date, the spokesperson said.“Cisco respects and encourages the work of independent research scientists; however, we follow an industry established disclosure process for communicating to our customers and partners,” the company said in a statement released Wednesday. “It is especially regretful, and indefensible, that the Black Hat Conference organizers have given Mr. Lynn a platform to publicly disseminate the information he illegally obtained.”

Cisco’s statement added that Lynn’s presentation was not a disclosure of a new vulnerability or a flaw with Cisco IOS software, but an exploration of “ways to expand exploitations of existing security vulnerabilities impacting routers.”

Lynn was unavailable for comment.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox
More Insights