Re: Re: Addressing Cisco Security Issues

["Exibar" <exibar () thelair com>]

That is always a great thing to do.  If one company says it's another's
fault, you kindly ask them to hold on a second, get the other company on the
line and let them hash it out.

   I can say that it works every time :-)

  ex


----- Original Message ----- 
From: "Jason Dodson" <mindchild () yahoo com>
To: "Geo." <geoincident1 () getinfo org>; <full-disclosure () lists netsys com>;
<bugtraq () securityfocus com>
Sent: Monday, March 29, 2004 2:35 PM
Subject: [Full-disclosure] Re: Addressing Cisco Security Issues


> I have had a similar run-around with AT&T Broadband and Sprint a while
back, pertaining to a DoS
> attack my organization was experiencing. Not to dive into details, to
resolve the issue, I got
> them both on the line in a 3-way conversation, and it was taken care of in
less then 5 minutes.
> They didn't seem to eager to shrug off the responsibility to someone else,
when that someone else
> was right there on the phone.
>
> Jason Dodson
>
> --- "Geo." <geoincident1 () getinfo org> wrote:
> > I have to post this because I consider this to be a security issue in
it's
> > own right.
> >
> > Recently there were a number of exploits released for cisco equipment,
among
> > the affected equipment were the 677 and 678 consumer DSL routers of
which
> > there are millions in use.
> >
> > I have one such router, the DSL circuit is provided by Alltel and I work
for
> > the ISP who provides the actual internet access.
> >
> > So upon reading recent warning notice sent to the security email lists
about
> > the exploits being publicly available I went and read
> > http://www.cisco.com/warp/public/707/CBOS-DoS.shtml which pretty much
says
> > any router running a version of CBOS prior to 2.4.5 (actually you need
2.4.6
> > because of later exploits) is vulnerable.
> >
> > So like a good netizen I contacted cisco TAC via telephone, gave them my
678
> > serial number and they informed me that they could not provide the
security
> > update because my router is registered to alltel (alltel did provide the
> > router when I ordered the DSL circuit), please call Alltel to get it. Ok
so
> > then I called Alltel, who told me no problem we can email you the update
and
> > asked for my email address. Except since Alltel is not the ISP I don't
have
> > an alltel email address so then they won't email it to me, please
contact
> > your ISP. I then informed Alltel that I AM MY ISP to which they replied
they
> > still could not provide the patch and that I would have to get it from
> > Cisco.
> >
> > So then I call Cisco TAC again, this time I explain the full details of
all
> > I've just been thru and the tech decides to ask someone. Comes back and
says
> > if I register on the cisco website that he can open a ticket and get
someone
> > to call me back on it. (I'm presently waiting for that call)
> >
> > In the mean time I decided to google for it and low and behold I found
2.4.6
> > on a website (url not posted to protect the life saving individuals who
put
> > it on the web). Now of course I've no way to know if this version I just
> > found is safe or not but HELLO CISCO???
> >
> > If you are going to issue security alerts that require ISP's and
consumers
> > to patch their hardware devices then you had better damn well make sure
that
> > folks can actually GET THE PATCHES. It would require no effort at all to
> > post a bogus version full of back doors and whatnot on the web and after
> > seeing the nightmare it is to obtain the patch thru official channels
it's
> > clear to me that this would be a very popular download.
> >
> > Geo.
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html