Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Cisco Finds New Zero-Day Linked to “Shadow Brokers” Exploit

Cisco has informed customers that further analysis of products possibly affected by the exploits and implants leaked recently by the group calling itself “Shadow Brokers” revealed the existence of another zero-day vulnerability.

Cisco has informed customers that further analysis of products possibly affected by the exploits and implants leaked recently by the group calling itself “Shadow Brokers” revealed the existence of another zero-day vulnerability.

In mid-August, Shadow Brokers leaked roughly 300 Mb of firewall exploits, implants and tools allegedly stolen from the NSA-linked threat actor known as the “Equation Group.” Major firewall vendors analyzed the leak and Cisco discovered that one of the exploits, dubbed “EXTRABACON,” relied on a zero-day flaw affecting the SNMP code of its ASA software.

The vulnerability, tracked as CVE-2016-6366, allows remote attackers to cause a system to reload or execute arbitrary code. Cisco has released patches for most major releases of its ASA software.

Another exploit leaked by Shadow Brokers is called “BENIGNCERTAIN” and it targets PIX firewalls, which have not been supported since 2009. Cisco analyzed the exploit and determined that it does not affect PIX versions 7.0 and later. The company noted on August 19 that it had not identified any new vulnerabilities related to this exploit in current products.

Further analysis revealed that the vulnerability leveraged by BENIGNCERTAIN also affects products running IOS, IOS XE and IOS XR software.

The security hole, tracked as CVE-2016-6415, exists in the IKEv1 packet processing code and it allows a remote, unauthenticated attacker to retrieve memory contents, which could contain sensitive information.

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” Cisco said in its advisory.

The vulnerability affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.

The networking giant has confirmed that PIX firewalls and all products running affected versions of IOS, IOS XE and IOS XR are affected if they are configured to use IKEv1, but the company is still working to determine if other products are impacted as well.

The vendor says it’s aware of exploitation attempts against some customers using the affected platforms.

Cisco has promised to release patches for CVE-2016-6415, but there are no workarounds. The company has published indicators of compromise (IoC) and advised customers to use IPS and IDS solutions to prevent attacks.

“This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected,” Cisco said. “Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”

Related: Many Cisco Devices Still Vulnerable to NSA-Linked Exploit

Related: Juniper Confirms Leaked Implants Target Its Products

Related: Industry Reactions to Shadow Brokers Leak

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...