Cisco has quickly provided a workaround for one of two vulnerabilities that was disclosed in the ShadowBrokers’ data dump and issued an advisory on the other, which was patched in 2011, in order to raise awareness among its customers.
The networking giant today released advisories saying that it had acknowledged both flaws in its Adaptive Security Appliance (ASA), the newest of which was rated high severity; both of the vulnerabilities enable remote code execution.
The ShadowBrokers are an unknown group of hackers that emerged over the weekend with claims it had hacked the Equation Group, a top-of-the-line APT believed to be the NSA. The group started an online auction of the Equation Group exploits it allegedly had in its possession.
Late yesterday afternoon, researchers at Kaspersky Lab confirmed a connection between the available tools up for auction and previous exploits and malware frameworks belonging to the Equation Group.
Most of the exploits in yesterday’s dump are for high-end enterprise networking gear, including Cisco, Juniper and Fortinet firewalls.
Fortinet today said that versions lower than 4.x of Fortigate firmware are affected by the vulnerability in the ShadowBrokers data dump, and users are urged to upgrade to 5.x immediately.
Cisco said today it has not yet released software updates for ASA that address the zero-day vulnerability; there are workarounds as well that Cisco recommends until patches can be applied.
The zero-day is in ASA’s SNMP implementation that could allow an unauthenticated remote attacker to remotely execute code on the box. Cisco said it has released an IPS signature, Legacy Cisco IPS Signature ID: 7655-0, and a Snort rule, ID: 3:39885.
“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” Cisco said in its advisory. “An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”
Cisco said its Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 9300 ASA, Security Module, Cisco PIX Firewalls, Cisco Firewall Services Module (FWSM) are affected.
The second flaw, patched five years ago, is a vulnerability in the ASA command-line interface parser which could crash appliances running the software and possible allow for code execution. Attackers must be authenticated to exploit this bug, Cisco said. Cisco’s Omar Santos wrote in a blog post:
“The Cisco ASA CLI Remote Code Execution Vulnerability was addressed in a defect fixed in 2011,” Cisco’s Omar Santos wrote in a . “We have issued a formal Security Advisory to increase its visibility with our customers so they can ensure they are running software versions that defend against the exploit Shadow Broker has shared.”
“An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device,” Cisco said, adding that it does not have workarounds for this flaw. Cisco said its Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco PIX Firewalls, and Cisco Firewall Services Module (FWSM) are affected.
The ShadowBrokers’ haul included one plaintext file of available exploits that was free to download, which the other would be auctioned to the highest bidder. Researchers quickly analyzed the freely available file, including one called Xorcat who tried an exploit called ExtraBacon against his ASA test lab and found it was legit.
The exploit, Xorcat said, gives an attacker the unauthenticated access over SSH or telnet to the firewall, turning off a password requirement in the process.
“There you go, NSA built firewall exploits that are easy to use!” he wrote, adding that the attack did not crash the appliance, nor did it impact traffic.”
Kaspersky Lab, which uncovered the Equation Group and disclosed its activities in February 2015, said there was a strong connection between the files the ShadowBrokers had and the Equation Group.
“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group,” Kaspersky Lab researchers said.
The strongest link is the extensive use of RC5 and RC6 encryption algorithms in both the free file offered by the ShadowBrokers and in previous known Equation Group files. Researchers explained that the Equation Group’s implementation of RC5 and RC6 uses a subtract operation with a constant of 0x61c88647. Kaspersky Lab said the ShadowBrokers free file includes 347 RC5 and RC6 implementations, and the implementations are “functionally identical” and include the same 0x61c88647 constant.