Cisco Battles Shadow Broker Exploits
Sep 28, 2016 7:00 AM PT
Cisco has swung into action to combat a hacker group's exploitation of vulnerabilities in its firmware. The group, known as the "Shadow Brokers," released online malware and other exploits it claimed to have stolen from the Equation Group, which is believed to have ties to the United States National Security Agency.
Cisco earlier this month disclosed the vulnerability, along with intrusion prevention system signatures and SNORT rules, "even though the patches are still under development," said Cisco spokesperson Yvonne Malmgren, "because we learned that there may be public awareness of the vulnerability."
This will let customers "actively monitor and protect their networks," she told TechNewsWorld, and it ensures that they "have the same level of information and awareness that we do."
Customers can check Cisco's Events Response Page for updates about its investigation into the issue.
The vulnerability affects products running Cisco IOS XR 4.3.x to 5.2.x, as well as Cisco IOS XE 3.1S and up.
The Cisco IOS Software Checker identifies any Cisco security advisories that impact a specific IOS Software release, as well as the earliest patch for the vulnerabilities in each advisory.
Bracing for Breaches
The vulnerability is in the Internet Key Exchange version 1 packet processing code in Cisco IOS, Cisco IO XE and Cisco IOS XR software.
It's due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests.
Attackers could exploit it by sending a crafted IKEv1 packet to an affected device that's configured to accept IKEv1 security requests, Cisco said. Exploiting the flaw lets attackers retrieve memory contents, which could lead to the disclosure of confidential information.
The flaw could have a "possibly substantial" impact, said Giovani Vigna, CTO of Lastline.
"Many devices out there are not managed well," he told TechNewsWorld. "They are installed and left to cyber-rot." These mismanaged devices "are going to be vulnerable, and used as the first point of compromise in enterprise networks."
When exploited, the vulnerability discloses information such as virtual private network configuration details and RSA private and public keys, said Thomas Pore, director of IT and services for Plixer.
They "cover a range of equipment that, in some cases, will likely never be patched," he told TechNewsWorld.
Customers using Cisco products and others that are affected by this revelation "are bracing themselves for potential data breaches -- or, even worse, finding out that some hidden resident malware has been lurking on their systems for an unknown period of time," remarked Chenxi Wang, chief strategy officer for Twistlock.
"Cisco seems to be moving fairly fast to release fixes for the vulnerabilities disclosed by the Shadow Brokers," she told TechNewsWorld, but "the industry would love to see more publicized information on how Cisco achieves secure development lifecycle practices -- and possibly a bug bounty program to boot."
The NSA Connection
If it's true that the Equation Group does have ties to the NSA, then "if the NSA has zero-day vulnerability information on all the top firewall brands, what other kinds of information do they have at their disposal to conduct surveillance on civilians and organizations at their discretion?" Wang asked.
Those ties could be why the NSA didn't notify Cisco of the vulnerabilities, suggested Plixer's Pore, and "the problem with not disclosing vulnerabilities for the sake of national security is that now many U.S. private and government organizations are vulnerable to potential nation-state attacks."