Cisco Finds New Zero-Day Linked to “Shadow Brokers” Exploit

Cisco has informed customers that further analysis of products possibly affected by the exploits and implants leaked recently by the group calling itself “Shadow Brokers” revealed the existence of another zero-day vulnerability.

In mid-August, Shadow Brokers leaked roughly 300 Mb of firewall exploits, implants and tools allegedly stolen from the NSA-linked threat actor known as the “Equation Group.” Major firewall vendors analyzed the leak and Cisco discovered that one of the exploits, dubbed “EXTRABACON,” relied on a zero-day flaw affecting the SNMP code of its ASA software.

The vulnerability, tracked as CVE-2016-6366, allows remote attackers to cause a system to reload or execute arbitrary code. Cisco has released patches for most major releases of its ASA software.

Another exploit leaked by Shadow Brokers is called “BENIGNCERTAIN” and it targets PIX firewalls, which have not been supported since 2009. Cisco analyzed the exploit and determined that it does not affect PIX versions 7.0 and later. The company noted on August 19 that it had not identified any new vulnerabilities related to this exploit in current products.

Further analysis revealed that the vulnerability leveraged by BENIGNCERTAIN also affects products running IOS, IOS XE and IOS XR software.

The security hole, tracked as CVE-2016-6415, exists in the IKEv1 packet processing code and it allows a remote, unauthenticated attacker to retrieve memory contents, which could contain sensitive information.

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” Cisco said in its advisory.

The vulnerability affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.

The networking giant has confirmed that PIX firewalls and all products running affected versions of IOS, IOS XE and IOS XR are affected if they are configured to use IKEv1, but the company is still working to determine if other products are impacted as well.

The vendor says it’s aware of exploitation attempts against some customers using the affected platforms.

Cisco has promised to release patches for CVE-2016-6415, but there are no workarounds. The company has published indicators of compromise (IoC) and advised customers to use IPS and IDS solutions to prevent attacks.

“This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected,” Cisco said. “Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”

Related: Many Cisco Devices Still Vulnerable to NSA-Linked Exploit

Related: Juniper Confirms Leaked Implants Target Its Products

Related: Industry Reactions to Shadow Brokers Leak