Bug hunter unveils Cisco zero-days at ShmooCon

(Flickr user Ashwin Kumar// CC-BY-2.0)


Written by

Looks can be deceiving when a security researcher first studies a piece of code.

What might seem mundane or straightforward on the surface — an insecure log-in page, for example — can lead to unexpected results when a security practitioner digs deeper. Without humans scanning for vulnerabilities, bugs are left to fester, and can be exploited to cause real issues if they fall into the wrong hands.

That lesson lingers in Ken Pyle’s mind.

During a security test for a client last year, Pyle, a partner at the security company DFDR Consulting, examined a networking switch made by Cisco. The equipment is popular with small businesses, including the managed service providers that handle remote connections, because it allows organizations to administer multiple devices across a network.

What started as a simple web application vulnerability, upon closer inspection, turned out to be two previously-unreported flaws affecting hundreds of thousands of devices, according to Pyle, from routers and printers to cable modems. One bug is a denial-of-service vulnerability that a hacker could use to take the switches, and the networks that rely on them, offline. Another flaw could reveal sensitive information about a switch’s configuration.

Cisco issued patches for the issues on Jan. 29, and the Department of Homeland Security has urged enterprises to apply those fixes.

“Someone else should’ve found this before I did,” Pyle told CyberScoop after presenting his research at ShmooCon, one of the few Washington, D.C., area conferences where attendees with neon-colored hair outnumber those wearing suits.

His presentation on the multiple vulnerabilities he found in Cisco devices served as a call to action for companies to use human researchers, rather than automated scanners, to search for possible security issues. In Pyle’s telling, human curiosity leads to the kind of creative threat hunting for which machines aren’t designed.

“None of this ever shows up on a vulnerability scanner,” Pyle told ShmooCon attendees. “This is stuff you’ve got to find by hand and start poking at.”

As his research progressed, Pyle realized that the Cisco switches were running on a web server called GoAhead, which is used by multiple companies. Some of the same issues Pyle found in the Cisco equipment were also present in Dell and Netgear switches.

A Dell spokesperson told CyberScoop the company is investigating the issues raised in Pyle’s presentation.

“[Y]ou can take over the arteries and veins of networks pretty easily” using the vulnerabilities, Pyle mused.

The level of exposure that organizations have to the attacks outlined by Pyle is entirely up to them.

“The ability to patch these things in real time is really slow because nobody wants to shut their network down,” Pyle said.

-In this Story-

Cisco, ShmooCon, vulnerability disclosure, zero-days