Addressing Cisco Security Issues

From: Geo. (
Date: 03/29/04

  • Next message: roozbeh afrasiabi: "IE ms-its: and mk:@MSITStore: vulnerability"
    To: <>, <>
    Date: Mon, 29 Mar 2004 13:02:25 -0500

    I have to post this because I consider this to be a security issue in it's
    own right.

    Recently there were a number of exploits released for cisco equipment, among
    the affected equipment were the 677 and 678 consumer DSL routers of which
    there are millions in use.

    I have one such router, the DSL circuit is provided by Alltel and I work for
    the ISP who provides the actual internet access.

    So upon reading recent warning notice sent to the security email lists about
    the exploits being publicly available I went and read which pretty much says
    any router running a version of CBOS prior to 2.4.5 (actually you need 2.4.6
    because of later exploits) is vulnerable.

    So like a good netizen I contacted cisco TAC via telephone, gave them my 678
    serial number and they informed me that they could not provide the security
    update because my router is registered to alltel (alltel did provide the
    router when I ordered the DSL circuit), please call Alltel to get it. Ok so
    then I called Alltel, who told me no problem we can email you the update and
    asked for my email address. Except since Alltel is not the ISP I don't have
    an alltel email address so then they won't email it to me, please contact
    your ISP. I then informed Alltel that I AM MY ISP to which they replied they
    still could not provide the patch and that I would have to get it from

    So then I call Cisco TAC again, this time I explain the full details of all
    I've just been thru and the tech decides to ask someone. Comes back and says
    if I register on the cisco website that he can open a ticket and get someone
    to call me back on it. (I'm presently waiting for that call)

    In the mean time I decided to google for it and low and behold I found 2.4.6
    on a website (url not posted to protect the life saving individuals who put
    it on the web). Now of course I've no way to know if this version I just
    found is safe or not but HELLO CISCO???

    If you are going to issue security alerts that require ISP's and consumers
    to patch their hardware devices then you had better damn well make sure that
    folks can actually GET THE PATCHES. It would require no effort at all to
    post a bogus version full of back doors and whatnot on the web and after
    seeing the nightmare it is to obtain the patch thru official channels it's
    clear to me that this would be a very popular download.


  • Next message: roozbeh afrasiabi: "IE ms-its: and mk:@MSITStore: vulnerability"