Security Experts:

Firewall Vendors Analyze Exploits Leaked by "Shadow Brokers"

Cisco, Fortinet and WatchGuard have analyzed the exploits leaked recently by a threat group calling itself Shadow Brokers. While Fortinet and WatchGuard determined that the vulnerabilities were patched several years ago, Cisco did find a zero-day in its products.

The mysterious Shadow Brokers group claims to have hacked The Equation Group, a threat actor believed to be associated with the U.S. National Security Agency (NSA). Shadow Brokers, which some speculate might be sponsored by Russia, has released 300Mb of firewall exploits, implants and tools, and is offering to sell even more information for 1 million Bitcoin (valued at more than $500 million).

Kaspersky Lab, which has conducted an extensive analysis of Equation Group tools, has confirmed that the leaked files appear to come from the NSA-linked actor, but pointed out that the files date back to 2010-2013. Nevertheless, this is still a significant leak.

Shadow Brokers has published exploits and implants for hacking firewalls made by Fortinet, Chinese company TOPSEC, Cisco, Juniper Networks, WatchGuard and several unknown vendors.

Cisco finds zero-day vulnerability

In the case of Cisco, the exploits target the company’s PIX and ASA firewalls. Based on its analysis of the leaked files, the networking giant has determined that one of the exploits, dubbed “EPICBANANA,” relied on a vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) software.

The security hole, tracked as CVE-2016-6367, can be exploited to cause a denial-of-service (DoS) condition or to execute arbitrary code. However, Cisco noted that this vulnerability was patched in 2011.

The second vulnerability identified by Cisco, leveraged in an exploit dubbed “EXTRABACON,” is actually a zero-day. The high severity issue, CVE-2016-6366, exists in the Simple Network Management Protocol (SNMP) code of Cisco ASA software and it allows an unauthenticated attacker to remotely cause a system to reload or execute arbitrary code.

The flaw impacts PIX and ASA firewalls, Firepower security modules, and Firewall Services Modules. Cisco has yet to release security updates for this issue, but the company has provided workarounds and signatures for intrusion prevention systems.

The Shadow Brokers leak also contains JETPLOW, a persistent firmware implant for EPICBANANA. Cisco said the implant doesn’t work against its newer platforms, which include a secure boot feature and digitally signed components.

Other companies patched their products

Fortinet has published an advisory to detail the remote code execution exploit dubbed “EGREGIOUSBLUNDER.” According to the vendor, the exploit targets a cookie parser buffer overflow that affected FortiGate (FOS) firmware released before August 2012.

WatchGuard explained that the “ESCALATEPLOWMAN” exploit targets RapidStream appliances. WatchGuard acquired RapidStream in 2002, but the company said the vulnerabilities were not carried over to WatchGuard appliances.

In the case of Juniper Networks, hackers leaked a Netscreen firewall implant called “FEEDTROUGH.” While Juniper has not published an advisory, some speculated last year that “FEEDTROUGH” might be related to the backdoor found by the company in its Netscreen firewalls.

The Chinese company TOPSEC has not released an advisory, despite the fact that many of the exploits target its firewalls. On the other hand, the company doesn’t appear to have issued any security advisories on its website for more than a year.

Related: Cisco Reviewing Code After Juniper Backdoor Hack

Related: Fortinet Unveils New Security Fabric, High-Performance Firewalls

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.