It would have been easy to walk away from an issue, but Cisco conducted additional research on a possible vulnerability and did find an associated Zero Day.
In mid-August, Shadow Brokers leaked 300 Mb of firewall exploits, implants and tools they said they stole from the NSA-linked attacker known as the “Equation Group.”
Firewall vendors analyzed the leak and Cisco found one of the exploits, dubbed “EXTRABACON,” relied on a Zero Day affecting the SNMP code of its ASA software.
The vulnerability, tracked as CVE-2016-6366, allows remote attackers to cause a system to reload or execute arbitrary code. Cisco released patches for most major releases of its ASA software.
Another exploit leaked by Shadow Brokers is “BENIGNCERTAIN” and it targets PIX firewalls, which have not been supported since 2009.
Cisco tested the exploit and determined it does not affect PIX versions 7.0 and later. The company said last month it had not identified any new vulnerabilities related to this exploit.
However, after going back and looking into the issue, Cisco said the vulnerability leveraged by BENIGNCERTAIN also affects products running IOS, IOS XE and IOS XR software.
The security hole exists in the IKEv1 packet processing code and it allows a remote, unauthenticated attacker to retrieve memory contents, which could contain sensitive information.
“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information,” Cisco said in its advisory.
The vulnerability affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x — versions 5.3.0 and later do not suffer from the issue. All IOS XE releases and various versions of IOS suffer from the issue.
Cisco confirmed PIX firewalls and all products running affected versions of IOS, IOS XE and IOS XR remain affected if they are configured to use IKEv1, but the company is still working to determine if other products suffer from the issue as well.
Cisco is aware of exploitation attempts against some customers using the affected platforms.
Cisco said it will release patches for CVE-2016-6415, but there are no workarounds. The company has published indicators of compromise (IoC) and advised customers to use IPS and IDS solutions to prevent attacks.