A Cisco security advisory warned against a Cisco PIX firewall flaw that is vulnerable to the BENIGNCERTAIN exploit...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
exposed in the Shadow Brokers' data dump. The vulnerability, which is still unpatched, affects all Cisco systems configured to use an early version of the Internet Key Exchange protocol. What is IKEv1, and how do attackers exploit it?
The BENIGNCERTAIN exploit revealed in the Shadow Brokers' data dump of the National Security Agency's (NSA) cyberweapons and zero-day exploits could allow an unauthenticated remote attacker to send an Internet Key Exchange (IKE) packet to a vulnerable Cisco PIX firewall or other Cisco devices, causing them to dump some of their memory. The attacker can then sift through this memory for confidential information, such as the RSA private key and other configuration data. This enables the attacker to gain access to an IPsec VPN.
The BENIGNCERTAIN exploit targets a vulnerability in version 1 of the IKE protocol, which is used by these Cisco products to set up the secure IPsec VPN tunnel. IKE, which was designed to secure VPN communications and remote network access, uses certificates for setting up a shared symmetric encryption to achieve the high bandwidth needed for IPsec VPNs.
IKEv2 was released in 2005, and it contained many improvements over IKEv1.
There are no workarounds for this vulnerability, which exists in certain versions of Cisco IOS, Cisco IOS XE and Cisco IOS XR. Enterprises can protect themselves from the BENIGNCERTAIN exploit by installing Cisco IOS XR Software releases 5.3.x and higher, or by upgrading to a new system that is not vulnerable to the exploit. Cisco PIX 7.0 and higher are not vulnerable to BENIGNCERTAIN.
The Cisco PIX firewalls targeted by BENIGNCERTAIN are at end of life, but appear to still be used in organizations targeted by the NSA. End of life Cisco PIX firewalls should be retired, since they have not been receiving security updates since 2009.
Cisco recommends that users of these products set up an intrusion prevention system or intrusion detection system to locate and stop exploits.
Find out about the critical Cisco WebEx browser extension vulnerability
Learn if the Diffie-Hellman key exchange method remains secure for enterprise use
Discover the security risks of reusing private encryption keys
Dig Deeper on VPN security
Related Q&A from Nick Lewis
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.