Firewall maker, Cisco has provided a workaround for one of two vulnerabilities that was disclosed in the Shadow Brokers data dump and issued an advisory on the other which was patched in 2011 in order to raise awareness among its customers. There was no fix available presently for the other flaw.
An unknown group of hackers, Shadow Brokers dumped data online this weekend and claimed to steal it from the Equation Group, a top-of-the-line APT believed to be associated with the NSA. The data dump affected Cisco and Fortinet’s products.
In a security advisory Cisco said both the flaws listed in the archive directory as EPICBANANA and EXTRABACON could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls; both of the vulnerabilities enable remote code execution.
The data being offered for sale by the Shadow Brokers is dated between 2010 and 2013, so unpatched programming blunder has been lingering in Cisco hardware for years. Whoever knew about the hole, didn't tell the manufacturer of the vulnerable gear.
Fortinet also said that some of its products released prior to August 2012 contained a vulnerability that would allow an attacker to take execution control over a firewall. It also urged users of versions lower than 4.x to upgrade to 5.x immediately.
Most of the exploits in dump are for high-end enterprise networking gear, including Cisco, Juniper and Fortinet firewalls.
Researchers at Kaspersky Lab confirmed a connection between the available tools up for auction and previous exploits and malware frameworks belonging to the Equation Group.
The new flaw, EXTRABACON uses a buffer overflow vulnerability in Cisco's ASA, PIX, and Firewall Services Module. The exploit would allow an attacker to take full control of the firewall system. The target device should be set up with the snmp-server enable command, the attacker must know the SNMP community string, and the devices are only vulnerable to IPv4 traffic. Once the exploit is successful, it would allow malware to be installed and all traffic monitored.
The EPICBANANA exploit can be used to bring down Cisco's ASA Software (version 8.4.1 or earlier) using invalid commands, and then run code on the system. The attacker must be locally authenticated on the system and must know the telnet or SSH password for the software. However, once that's been achieved, typing in certain invalid commands will allow the exploit to work.
Cisco said it has not yet released software updates for ASA that address the zero-day vulnerability; there are workarounds as well that Cisco recommends until patches can be applied.
The Shadow Brokers also claim that their exploits will work on firewalls from Juniper Networks and TopSec, but neither company has publicly acknowledged the leak. The Shadow Brokers say they have additional yet-to-be-released exploits and are offering the data for sale in a Bitcoin auction. The group is asking for 1 million bitcoin (around $568 million at current rates), but the auction has yet to receive any significant bids.
If the auction is unsuccessful, the vulnerabilities contained in the data may come to light. Wikileaks has claimed to have access to the data and says it will publish a “pristine copy” soon.
“We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course,” read WikiLeaks tweet.
There are less chances of anyone bidding on it if WikiLeaks releases it.
An unknown group of hackers, Shadow Brokers dumped data online this weekend and claimed to steal it from the Equation Group, a top-of-the-line APT believed to be associated with the NSA. The data dump affected Cisco and Fortinet’s products.
In a security advisory Cisco said both the flaws listed in the archive directory as EPICBANANA and EXTRABACON could be used to breach its Adaptive Security Appliance (ASA) software used in its firewalls; both of the vulnerabilities enable remote code execution.
The data being offered for sale by the Shadow Brokers is dated between 2010 and 2013, so unpatched programming blunder has been lingering in Cisco hardware for years. Whoever knew about the hole, didn't tell the manufacturer of the vulnerable gear.
Fortinet also said that some of its products released prior to August 2012 contained a vulnerability that would allow an attacker to take execution control over a firewall. It also urged users of versions lower than 4.x to upgrade to 5.x immediately.
Most of the exploits in dump are for high-end enterprise networking gear, including Cisco, Juniper and Fortinet firewalls.
Researchers at Kaspersky Lab confirmed a connection between the available tools up for auction and previous exploits and malware frameworks belonging to the Equation Group.
The new flaw, EXTRABACON uses a buffer overflow vulnerability in Cisco's ASA, PIX, and Firewall Services Module. The exploit would allow an attacker to take full control of the firewall system. The target device should be set up with the snmp-server enable command, the attacker must know the SNMP community string, and the devices are only vulnerable to IPv4 traffic. Once the exploit is successful, it would allow malware to be installed and all traffic monitored.
The EPICBANANA exploit can be used to bring down Cisco's ASA Software (version 8.4.1 or earlier) using invalid commands, and then run code on the system. The attacker must be locally authenticated on the system and must know the telnet or SSH password for the software. However, once that's been achieved, typing in certain invalid commands will allow the exploit to work.
Cisco said it has not yet released software updates for ASA that address the zero-day vulnerability; there are workarounds as well that Cisco recommends until patches can be applied.
The Shadow Brokers also claim that their exploits will work on firewalls from Juniper Networks and TopSec, but neither company has publicly acknowledged the leak. The Shadow Brokers say they have additional yet-to-be-released exploits and are offering the data for sale in a Bitcoin auction. The group is asking for 1 million bitcoin (around $568 million at current rates), but the auction has yet to receive any significant bids.
If the auction is unsuccessful, the vulnerabilities contained in the data may come to light. Wikileaks has claimed to have access to the data and says it will publish a “pristine copy” soon.
“We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course,” read WikiLeaks tweet.
There are less chances of anyone bidding on it if WikiLeaks releases it.