Cisco is warning its customers of new activity around the ShadowBrokers data dump, indicating that all versions of its IOS, IOS XE and IOS XR software are vulnerable to one of the many exploits released more than a month ago.
“Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms,” Cisco said on Friday in an advisory.
The vulnerability is in IKEv1 packet processing and affects many Cisco products running IOS software as well as all Cisco PIX firewalls. IKE is short for Internet Key Exchange, a protocol used to set up security associations in IPsec. An attacker could use this vulnerability to remotely siphon memory from traffic and disclose critical information from the stream such as RSA private keys and configuration information.
“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests,” Cisco said in its advisory. “An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests.”
Cisco said IOS XR software 5.3.x and newer are not affected by this vulnerability; 4.3.x, 5.0.x, 5.1.x and 5.2.x are vulnerable. In its advisory, Cisco has published a long list of the Cisco IOS software train that are vulnerable. All versions of IOS XE are vulnerable, Cisco said.
Cisco PIX, meanwhile, has not been supported since 2009; Cisco said versions 7.0 and later are not vulnerable.
This is the second time Cisco has scrambled to address exploits dumped by the ShadowBrokers on Aug. 15. Shortly after the vulnerabilities and exploits were made public and confirmed to belong to the Equation Group—which is believed to have close ties to the NSA—Cisco acknowledged and fixed a flaw in the SNMP implementation in its ASA firewalls. Another exploit for Cisco gear released by the ShadowBrokers was for a flaw patched in 2011 in the ASA command line interface parser. Both vulnerabilities expose affected systems to remote code execution.
“Cisco remains committed to transparency and helping our customers protect their networks,” Cisco said in a statement provided to Threatpost. “If a new vulnerability is found, we disclose it in line with our well-established processes, and that is what we did here.”
The ShadowBrokers data dump was confirmed by Kaspersky Lab researchers to have strong ties to the Equation Group. Kaspersky Lab uncovered the activities of the Equation Group and disclosed them in February 2015. The dump included a free file of hundreds of exploits for mainstream networking gear from Cisco, Juniper, Fortinet and others, well within the wheelhouse of the NSA. Kaspersky researchers found identical matches between Equation Group code samples and code from the ShadowBrokers leak, along with other evidence in the code linking the two.
The ASA exploit was called EXTRABACON, and allowed remote unauthenticated access over SSH or telnet to the Cisco firewall appliance. Within a week, researchers at SilentSignal, a red-teaming consultancy in Hungary, had modified the EXTRABACON exploit to work on more current versions of ASA.
The exploit targeting all versions of IOS and PIX is called BENIGNCERTAIN, which had been analyzed by researcher Mustafa Al-Bassam. He said the exploit is made up of three binaries, each a different step in the exploit process which can be used to obtain RSA private key data and VPN configuration details if used against Cisco PIX firewalls.