Home Tags Cisco Firewall

Tag: Cisco Firewall

Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA. ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers.

The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction. ExtraBacon exploits a buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) implementation from Cisco's ASA software. It allows attackers to remotely execute rogue code on the affected devices, as long as they can send traffic to their SNMP interface.

This typically requires being on the same internal network as the targeted devices. Even though the ExtraBacon exploit was designed to work for versions 8.4(4) and earlier of the ASA software, other researchers demonstrated that it can be modified to also work on newer versions.

Cisco confirmed in an advisory that all versions of SNMP in Cisco ASA software contain the flaw. On Wednesday, the company updated its advisory to announce the availability of patched versions for different Cisco ASA branches, namely 9.1.7(9), 9.5(3), and 9.6.1(11). Devices using ASA software versions from the 8.x and 7.x branches should be migrated to version 9.1.7(9), according to the vendor.

Also, patched releases for the 9.0, 9.2, 9.3, and 9.4 branches are expected Thursday and Friday.

These will be 9.0.4(40), 9.2.4(14), 9.3.3(10) and 9.4.3(8). In addition to ASA software, which is used in different stand-alone devices and security modules for routers and switches, the Cisco Firepower Threat Defense (FTD) Software, the Cisco Firewall Services Module (FWSM), and Cisco PIX Firewalls are also affected by this vulnerability. Software version 6.0.1(2) was released for Cisco FTD, but Cisco Firewall Service Modules and Cisco PIX Firewalls have reached their end of life, and no patches will be provided for them. Security researchers have so far established links between the code in the tools leaked by Shadow Brokers and those previously found in the wild and attributed to the Equation group.

Furthermore, 14 files leaked by Shadow Brokers contain a 16-character string that NSA operatives are known to have used in their malware and which is listed in an NSA manual leaked by Edward Snowden, The Intercept reported. There is a second Equation exploit in the Shadow Brokers leak that targets ASA software.
It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported.

Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.
The disclosure this week of a cache of files supposedly stolen from the National Security Agency has put a spotlight on secret cyber weapons the NSA has been holding -- and whether they should be disclosed. Security researchers have been poring over a sample set of hacking tools that may have been stolen from the NSA. An anonymous group called the Shadow Brokers has posted the samples online and is auctioning off the rest, claiming they contain cyber weapons that rival the Stuxnet computer worm. Experts say the whole matter points to the danger of the NSA hoarding cyber weapons: they could fall into the wrong hands. "This theory that the NSA can keep them safe, and that nobody will find out, doesn't seem to hold water," said Ross Schulman, a cyber security co-director at the New America think tank. At the heart of the matter are zero-day vulnerabilities and whether the U.S. government should keep its knowledge of them a secret. These zero-days are essentially holes in software products that not even the vendors know about.

They can be extremely valuable to both hackers and governments, especially when it comes to cyberespionage.
Intelligence agencies like the NSA can use them in hacking missions to uncover strategic information. However, for a zero-day to be useful, it has to be kept secret, or the vendor will patch it. As a result, the NSA regularly collects and even buys vulnerabilities -- reportedly spending millions -- but it doesn't always publicly disclose them.

That can leave vendors and customers exposed. Security experts now wonder if that approach is backfiring.

This week, Cisco was forced to roll out a security advisory in the wake of the new disclosure.

An exploit included among the samples relies on a zero-day vulnerability in a Cisco firewall that could be more than three years old. Jeremiah Grossman, chief of security strategy at SentinelOne, said he isn't surprised that NSA hacking tools may have leaked. "This is the risk when you have an increasingly large vulnerability repository that's been around for a while," he said. "You got to expect this will happen." Although the NSA has legitimate reasons for keeping some cyber weapons, Grossman said there needs to be more public discussion on what its policies should be and how vendors can ensure their products are protected. "We're going to need the government's help to do defense, not just offense," he said. The government's disclosure policy isn't very transparent today.

Although the NSA claims to release 91 percent of the vulnerabilities it finds, there's still no public data to verify that figure, said Jason Healey, a researcher at Columbia University. He's been studying the U.S. policy on keeping zero-days. He said the White House generally favors disclosing them if they affect widely used infrastructure, like Cisco products.

But the U.S. tries to do this without diminishing its own intelligence-gathering efforts. "We have to have a balance here, as much as I can get frustrated with the NSA keeping things to themselves," Healey said. It's still not clear if the stolen hacking tools are actually from the NSA.

Although the sample files do allude to past NSA-related codenames, security researchers say the documents could have been doctored.  Still, the fear is that the stolen hacking tools are real and that more zero-day vulnerabilities may be in the hands of malicious actors.  "I wouldn't be surprised if Congress started asking some questions," Schulman said.

The recent hack against the Democratic National Committee, and this new dump of hacking tools, has caused enough controversy to warrant U.S. lawmakers to investigate, he said.  "If this may have happened once, are there other times this has happened?" Schulman asked. "What zero-days have been in those breaches?"
The Equation Group breach now appears to be very real, as tools emerge that have vendors scrambling. When news of an alleged breach of the National Security Agency-backed Equation Group first surfaced , there was much speculation about whether the sale by Shadow Brokers of pilfered tools was real or a hoax.

As it turns out, multiple security vendors are now confirming that at least some of the tools the Shadow Brokers are selling are real, with critical zero-day vulnerabilities now being exposed in the process.Among the tools exposed in the first batch that Shadow Brokers made available are two with somewhat interesting and unique names: EPICBANANAS and EXTRABACON.

The tools are designed to circumvent network security devices, including firewalls, from multiple vendors in an attempt to give an attacker access to a target network.Networking giant Cisco is among the targeted vendors and has confirmed that the two attack tools represent real risks of its Cisco ASA and PIX firewall products.

The EXTRABACON exploit is being labeled CVE-2016-6366 and is a Simple Network Management Protocol (SNMP) remote code execution vulnerability."The EXTRABACON exploit targets a buffer overflow vulnerability in the SNMP code of the Cisco ASA, Cisco PIX and Cisco Firewall Services Module," Omar Santos, principal engineer of Cisco's Product Security Incident Response Team (PSIRT), wrote in a blog post. "An attacker could exploit this vulnerability by sending crafted SNMP packets to an affected Cisco product." Santos also provides command-line details of how the exploit works against the ASA.

The EXTRABACON tool affects all versions of ASA software, and Cisco has now released intrusion-prevention System (IPS) rules that can detect the issue.

The clarity and detail that the Cisco PSIRT post provides is part of an effort the company announced in October 2015 to provide its customers with as much transparency and information as possible on Cisco vulnerabilities. The other critical issue uncovered by the Shadow Brokers sale is the EPICBANANA vulnerability, which now also is identified as CVE-2016-6367 and is an arbitrary code execution vulnerability in the command-line interface (CLI).
Santos explained that the way EPICBANANA works is it connects to a targeted device by way of Secure Shell (SSH) or Telnet."The attacker must source the attack from an IP address that is allowed by the SSH or telnet commands in the Cisco ASA," Santos wrote. "This is why it is a best practice to only allow SSH or telnet connections from trusted sources and on certain interfaces only (such as the management interface)."The exploits don't just affect Cisco. Network security vendor Fortinet has also issued an advisory for its FortiGates firmeware (FOS) to defend against the risk from tools exposed by the Shadow Brokers.
In the Fortinet case, though, the advisory is currently limited to Fortigate firmware released before 2012.Going a step further in helping confirm the validity of the Shadow Brokers' claims is the fact that Kaspersky Lab, the security group that first publicly identified the Equation Group, is now also seeing a connection.
Initially, when the Shadow Brokers announced that they had breached the Equation Group, Kaspersky Lab had only publicly commented that it was investigating the claims.

That investigation now points to solid links with the research that Kaspersky Labs itself had conducted regarding the Equation Group back in February 2015."While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," a Kaspersky Lab Global Research and Analysis Team (GReAT) report stated.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist.
Cisco Firewall Services Module (FWSM) Software contains a vulnerability that could allow an unauthenticated, remote attacker to cause a reload of an affected system. The vulnerability is due to a race condition when releasing the ...
Cisco Firewall Services Module (FWSM) Software for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is affected by the following vulnerabilities: Cisco FWSM Command Authorization Vulnerability SQL*Net Insp...