Some Cisco Customers Are Being Hacked With NSA's Exploit Tools

Cisco’s Product Security Incident Response Team recently uncovered that the vulnerabilities revealed by the “Shadow Brokers” group as part of NSA’s set of hacking tools, were now being used against at least some of its customers:

“On August 15, 2016, Cisco was alerted to information posted online by the Shadow Brokers group, which claimed to possess disclosures from the Equation Group,” said Cisco in a recent security advisory.“The posted materials included exploits for firewall products from multiple vendors. Articles included information regarding the BENIGNCERTAIN exploit potentially being used to exploit legacy Cisco PIX firewalls.Based on the Shadow Brokers disclosure, Cisco started an investigation on other products that could be impacted by a vulnerability similar to BENINGCERTAIN.Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms,” revealed the company.

Cisco did not reveal who exactly those customers were. However, the vulnerability in the IKEv1 protocol, used to negotiate cryptographic attributes (algorithm, mode, and shared keys) for communication sessions, exists in a wide variety of Cisco products. The devices most affected are those using Cisco’s IOS, IOS XE, and IOS XR software.

As Cisco said on its website, “Cisco IOS Software is the most widely leveraged network infrastructure software in the world.” That means it may now be an even more attractive target for malicious hackers due to its large deployment.

Its PIX firewall appliances version 6.x and below are also affected by the vulnerability, but version 7.x isn’t. Cisco’s PIX devices haven’t been supported since 2009. The company also confirmed that Cisco ASA 5500 and Cisco ASA 5500-X Series Adaptive Security Appliance devices are not affected by the IKEv1 vulnerability.

IKEv1 allows an unauthenticated attacker to steal the memory contents of devices, which could lead to disclosure of confidential information. Cisco said that there are no workarounds for this vulnerability until the company releases patches for its software. Until then, IT administrators are advised to closely monitor the affected systems.

Cisco said it will release updates that fix the vulnerability, but only those with valid licenses, procured directly from Cisco or from an authorized re-seller, will be able to receive them. It’s not clear whether PIX devices, which haven’t been supported since 2009, will receive any updates.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • olsenn
    So Shadow Broker (go Mass Effect!) managed to sell their stolen toolkit, which they listed at a price of 580 million dollars worth of Bitcoins??? If so, I seriously doubt the customer would use this weapon on some random JC-Penny Cisco switches just for fun... whichever computer network these exploits were used on were probably high profile! Or a proof-of-concept test by the sellers to prove they do in fact have the goods
    Reply
  • targetdrone
    And this boys and girls is why you do not allow backdoors in your security or encryption, because it allows the bad guys easy access and depending on the nature of the backdoor, nearly impossible to seal without a complete infrastructure update.
    Reply
  • hannibal
    Hopefully politicks reads this and start demanding the remove of those backdoors instead of adding them... most propably futail hope...
    Reply
  • eriko
    Its funny how they get away with not releasing s/w updates for those without SmartNET contracts...

    Imagine Microsoft etc doing that?

    But if the hole is big enough, I think they HAVE to...

    Quote:

    As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free of charge software updates to address security problems. If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the Contact Summary section of this document.
    Reply
  • f-14
    it's not a 'hack' it's the commerce clause in the u.s. constitution: Section. 8.

    The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States; but all Duties, Imposts and Excises shall be uniform throughout the United States;

    To borrow Money on the credit of the United States;

    To regulate Commerce with foreign Nations, and among the several States, and with the Indian Tribes;
    Reply