fabioberti.it - Fotolia
A Cisco security advisory warned against a Cisco PIX firewall flaw that is vulnerable to the BENIGNCERTAIN exploit exposed in the Shadow Brokers' data dump. The vulnerability, which is still unpatched, affects all Cisco systems configured to use an early version of the Internet Key Exchange protocol. What is IKEv1, and how do attackers exploit it?
The BENIGNCERTAIN exploit revealed in the Shadow Brokers' data dump of the National Security Agency's (NSA) cyberweapons and zero-day exploits could allow an unauthenticated remote attacker to send an Internet Key Exchange (IKE) packet to a vulnerable Cisco PIX firewall or other Cisco devices, causing them to dump some of their memory. The attacker can then sift through this memory for confidential information, such as the RSA private key and other configuration data. This enables the attacker to gain access to an IPsec VPN.
The BENIGNCERTAIN exploit targets a vulnerability in version 1 of the IKE protocol, which is used by these Cisco products to set up the secure IPsec VPN tunnel. IKE, which was designed to secure VPN communications and remote network access, uses certificates for setting up a shared symmetric encryption to achieve the high bandwidth needed for IPsec VPNs.
IKEv2 was released in 2005, and it contained many improvements over IKEv1.
There are no workarounds for this vulnerability, which exists in certain versions of Cisco IOS, Cisco IOS XE and Cisco IOS XR. Enterprises can protect themselves from the BENIGNCERTAIN exploit by installing Cisco IOS XR Software releases 5.3.x and higher, or by upgrading to a new system that is not vulnerable to the exploit. Cisco PIX 7.0 and higher are not vulnerable to BENIGNCERTAIN.
The Cisco PIX firewalls targeted by BENIGNCERTAIN are at end of life, but appear to still be used in organizations targeted by the NSA. End of life Cisco PIX firewalls should be retired, since they have not been receiving security updates since 2009.
Cisco recommends that users of these products set up an intrusion prevention system or intrusion detection system to locate and stop exploits.
Find out about the critical Cisco WebEx browser extension vulnerability
Learn if the Diffie-Hellman key exchange method remains secure for enterprise use
Discover the security risks of reusing private encryption keys
Dig Deeper on VPN security
Related Q&A from Nick Lewis
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve ... Continue Reading
After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick ... Continue Reading
The TrickBot banking Trojan joined forces with IcedID to form a dual threat that targets victims for money. Discover how this union occurred and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.