Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Cisco Finds New Zero-Day Linked to “Shadow Brokers” Exploit

Cisco has informed customers that further analysis of products possibly affected by the exploits and implants leaked recently by the group calling itself “Shadow Brokers” revealed the existence of another zero-day vulnerability.

Cisco has informed customers that further analysis of products possibly affected by the exploits and implants leaked recently by the group calling itself “Shadow Brokers” revealed the existence of another zero-day vulnerability.

In mid-August, Shadow Brokers leaked roughly 300 Mb of firewall exploits, implants and tools allegedly stolen from the NSA-linked threat actor known as the “Equation Group.” Major firewall vendors analyzed the leak and Cisco discovered that one of the exploits, dubbed “EXTRABACON,” relied on a zero-day flaw affecting the SNMP code of its ASA software.

The vulnerability, tracked as CVE-2016-6366, allows remote attackers to cause a system to reload or execute arbitrary code. Cisco has released patches for most major releases of its ASA software.

Another exploit leaked by Shadow Brokers is called “BENIGNCERTAIN” and it targets PIX firewalls, which have not been supported since 2009. Cisco analyzed the exploit and determined that it does not affect PIX versions 7.0 and later. The company noted on August 19 that it had not identified any new vulnerabilities related to this exploit in current products.

Further analysis revealed that the vulnerability leveraged by BENIGNCERTAIN also affects products running IOS, IOS XE and IOS XR software.

The security hole, tracked as CVE-2016-6415, exists in the IKEv1 packet processing code and it allows a remote, unauthenticated attacker to retrieve memory contents, which could contain sensitive information.

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” Cisco said in its advisory.

The vulnerability affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.

Advertisement. Scroll to continue reading.

The networking giant has confirmed that PIX firewalls and all products running affected versions of IOS, IOS XE and IOS XR are affected if they are configured to use IKEv1, but the company is still working to determine if other products are impacted as well.

The vendor says it’s aware of exploitation attempts against some customers using the affected platforms.

Cisco has promised to release patches for CVE-2016-6415, but there are no workarounds. The company has published indicators of compromise (IoC) and advised customers to use IPS and IDS solutions to prevent attacks.

“This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected,” Cisco said. “Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”

Related: Many Cisco Devices Still Vulnerable to NSA-Linked Exploit

Related: Juniper Confirms Leaked Implants Target Its Products

Related: Industry Reactions to Shadow Brokers Leak

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.