Cisco’s Product Security Incident Response Team recently uncovered that the vulnerabilities revealed by the “Shadow Brokers” group as part of NSA’s set of hacking tools, were now being used against at least some of its customers:
“On August 15, 2016, Cisco was alerted to information posted online by the Shadow Brokers group, which claimed to possess disclosures from the Equation Group,” said Cisco in a recent security advisory.“The posted materials included exploits for firewall products from multiple vendors. Articles included information regarding the BENIGNCERTAIN exploit potentially being used to exploit legacy Cisco PIX firewalls.Based on the Shadow Brokers disclosure, Cisco started an investigation on other products that could be impacted by a vulnerability similar to BENINGCERTAIN.Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms,” revealed the company.
Cisco did not reveal who exactly those customers were. However, the vulnerability in the IKEv1 protocol, used to negotiate cryptographic attributes (algorithm, mode, and shared keys) for communication sessions, exists in a wide variety of Cisco products. The devices most affected are those using Cisco’s IOS, IOS XE, and IOS XR software.
As Cisco said on its website, “Cisco IOS Software is the most widely leveraged network infrastructure software in the world.” That means it may now be an even more attractive target for malicious hackers due to its large deployment.
Its PIX firewall appliances version 6.x and below are also affected by the vulnerability, but version 7.x isn’t. Cisco’s PIX devices haven’t been supported since 2009. The company also confirmed that Cisco ASA 5500 and Cisco ASA 5500-X Series Adaptive Security Appliance devices are not affected by the IKEv1 vulnerability.
IKEv1 allows an unauthenticated attacker to steal the memory contents of devices, which could lead to disclosure of confidential information. Cisco said that there are no workarounds for this vulnerability until the company releases patches for its software. Until then, IT administrators are advised to closely monitor the affected systems.
Cisco said it will release updates that fix the vulnerability, but only those with valid licenses, procured directly from Cisco or from an authorized re-seller, will be able to receive them. It’s not clear whether PIX devices, which haven’t been supported since 2009, will receive any updates.