A researcher found an exploit in the dump of NSA-linked cyberweapons that abuses a Cisco security vulnerability...
and highlights the dangers of using hardware that is no longer supported by the manufacturer.
The BENIGNCERTAIN exploit, revealed by former black hat hacker and current security researcher Mustafa Al-Bassam, is a remote exploit for the Cisco PIX router that could allow an attacker to decrypt the VPN traffic passing through the device. The exploit was found in the dump of Equation Group exploits, which was said to include a stockpile of National Security Agency (NSA) cyberweapons.
According to Al-Bassam, the exploit "sends an Internet Key Exchange packet to the victim machine, causing it to dump some of its memory. The memory dump can then be parsed to extract an RSA private key and other sensitive configuration information."
In his original blog post, Al-Bassam said the BENIGNCERTAIN tool referenced Cisco PIX versions 5.2(9) to 6.3(4), but he later confirmed on Twitter the Cisco security vulnerability was also present in PIX 6.3(5).
BENIGNCERTAIN works on PIX 6.3(5), meaning that the NSA was able to decrypt any Cisco VPN traffic from 2002 to 2008. pic.twitter.com/x15vs5dSkW— Mustafa Al-Bassam (@musalbas) August 19, 2016
Omar Santos, principal engineer for the Cisco Product Security Incident Response Team, acknowledged the vulnerability in a blog post.
"Our investigation so far has not identified any new vulnerabilities in current products related to the exploit," Santos wrote. "Even though the Cisco PIX is not supported and has not been supported since 2009, out of concern for customers who are still using PIX, we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN. The Cisco ASA [Adaptive Security Appliance] is not vulnerable."
Al-Bassam noted Cisco ended support altogether for PIX version 6.3 in 2013, but there are still more than 15,000 vulnerable devices deployed in the wild.
There's actually over 15,000 Cisco PIX firewalls online today vulnerable to BENIGNCERTAIN, most of them in Russia. pic.twitter.com/rmwHBEyGW9— Mustafa Al-Bassam (@musalbas) August 19, 2016
Santos warned of the risks of using unsupported products.
"Just as technology advances, so too do the nature and sophistication of attacks," Santos wrote. "Prolonging the use of older technology exponentially increases risk."
Garve Hays, solutions architect for U.K.-based Micro Focus, told SearchSecurity that enterprises should not use unsupported products because they will be vulnerable.
"The concept of the long tail applies to vulnerabilities as well, so it should come as no surprise that there is someone out there still using something they probably shouldn't," Hays said. "Given that notion, in this case, Cisco actively provided patches well into 2009, so there is no excuse for not keeping their appliances patched and up to date. In general, an organization should presume they are vulnerable and follow a process that includes policy, review and remediation."
Hays also noted it is likely the NSA wasn't the only actor with this exploit.
"Cisco is a high-value target for many actors, so it is likely that others are cognizant of it and have used the exploit," Hays said. "In my opinion, the NSA should have disclosed the flaw to Cisco. That is at the very heart of responsible disclosure."
Rebecca Herold, CEO of Privacy Professor, agreed the NSA should have disclosed the Cisco security vulnerability.
"Given the huge vulnerability and exposure to everyone using these specific types of PIX firewalls, yes, they definitely should have [disclosed it]. Especially for technology that was created specifically to be used for security purposes, and is being widely used by huge organizations, which have the data of millions of individuals," Herold told SearchSecurity via email.
"Failure to notify a security technology vendor of a security flaw and, indeed, even to exploit it and use it for their own purposes for many years is, quite frankly, unethical and diametrically opposed to the NSA's mission to 'defend vital networks.' The NSA claims to be doing surveillance in the name of security, when their very actions have put the security of all those using the affected PIX firewalls at very real risk."
Learn more about the fallout from the Equation Group cyberweapons leak.
Get info on the risks of using unsupported software.