Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Over 840,000 Cisco Devices Affected by NSA-Linked Flaw

An IOS software vulnerability identified recently by Cisco while analyzing the firewall exploits leaked by the group calling itself Shadow Brokers has been found to affect hundreds of thousands of devices located around the world.

An IOS software vulnerability identified recently by Cisco while analyzing the firewall exploits leaked by the group calling itself Shadow Brokers has been found to affect hundreds of thousands of devices located around the world.

The flaw, tracked as CVE-2016-6415, exists in the Internet Key Exchange version 1 (IKEv1) packet processing code of Cisco’s IOS, IOS XE and IOS XR software, and it can be exploited by a remote, unauthenticated attacker to access memory content that could contain sensitive information.

In order to determine how many devices are affected by this vulnerability, The Shadowserver Foundation has conducted an Internet scan for the Internet Security Association and Key Management Protocol (ISAKMP), which is part of IKE.

“We are querying all computers with routable IPv4 addresses that are not firewalled from the internet with a specifically crafted 64 byte ISAKMP packet and capturing the response,” the organization explained.

As of the last scan, conducted on Wednesday, more than 840,000 unique IP addresses responded as vulnerable to Shadowserver’s probe. The highest percentage of affected devices was in the United States (255,000), followed by Russia (42,000), United Kingdom (42,000), Canada (41,000), Germany (35,000), Japan (33,000), Mexico (26,000), France (26,000), Australia (22,000), China (22,000) and Italy (21,000). Based on autonomous system numbers (ASNs), many of the IPs are on Comcast and AT&T’s network.

According to Shadowserver, there is no evidence that the products of vendors other than Cisco are affected by the vulnerability, but the organization noted that it is not a conclusive test.

Cisco discovered the security hole while analyzing an exploit dubbed “BENIGNCERTAIN.” This and other exploits were allegedly stolen by Shadow Brokers from the NSA-linked Equation Group. The company has warned that the vulnerability has been exploited against some of its customers.

For the time being, most of the affected IOS software versions remain unpatched. Cisco has released a simple online tool that allows customers to determine if their products are affected.

Advertisement. Scroll to continue reading.

This is the second zero-day flaw found by Cisco after analyzing the Shadow Brokers leak. The exploit called “EXTRABACON” leveraged a previously unknown vulnerability in the company’s ASA software.

Related: Many Cisco Devices Still Vulnerable to NSA-Linked Exploit

Related: Juniper Confirms Leaked Implants Target Its Products

Related: Industry Reactions to Shadow Brokers Leak

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.