Cisco Networking Devices Affected By Disclosed Exploits

Earlier this month Cisco made available 2 security advisories (please see below for the relevant links) that relate to the public disclosure of security vulnerabilities within their and other vendors’ products by a hacking group known as Shadow Brokers.

This group released exploits that targeted routers and firewalls from vendors such as Cisco, Juniper and Fortinet.

Further coverage of how these exploits were disclosed are available within the following links:

Cisco Acknowledges ASA Zero Day Exposed By Shadowbrokers (Threatpost)

Shadowbrokers’ Leak Has ‘Strong Connection’ To Equation Group (Threatpost)

Hacking group claims to offer cyber-weapons in online auction (Reuters)

NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online (The Hacker News)

Cisco confirms NSA-linked zeroday targeted its firewalls for years (Ars Technica)

Juniper Acknowledges Equation Group Targeted ScreenOS

Why Should These Issues Be Considered Important?

For the affected Cisco devices (a full list is provided here), the most severe of which could allow remote code execution (where an attacker can remotely target your device and have it carry out any action of their choice). The SNMP (defined) vulnerability is the result of a buffer overflow (defined) which can be exploited by an attacker by sending specifically crafted SNMP packets (piece/unit of data being sent via electronic means e.g. within a cable or in the air e.g. WiFi) to an affected device.

Affected Fortinet devices suffer from a similar overflow within their cookie (defined) parser (a tool that analyzes data in a structured manner in order to create meaning from it). As before successful exploitation results in an attacker obtaining remote access to affected devices.

At a later date Juniper acknowledged that their products were also targeted by the group due to the information found within the files that were disclosed. They have since determined that while the code does target their ScreenOS it cannot be used for a remote attack.

How Can I Protect Myself From These Issues?
=======================
Cisco
The relevant Cisco security advisories are available from the following links (further fixes are also expected):

Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability (patch available)

Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability (patch available)

Cisco provides further security recommendations within their dedicated blog post of these vulnerability disclosures that is being updated as new patches are being made available.

=======================
Fortinet
A security advisory for the affected Fortinet devices with suggested upgrades detailed within.
=======================
Juniper
As mentioned above Juniper devices are affected but are not remotely exploitable. They continuing to work on a possible means to tell if malicious code has been installed on devices created by them. More information is available within their dedicated forum post.
=======================

I hope that the above information is useful to you in defending your corporate networks against these disclosed vulnerabilities.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s