A Cisco security advisory warned against a Cisco PIX firewall flaw that is vulnerable to the BENIGNCERTAIN exploit...
exposed in the Shadow Brokers' data dump. The vulnerability, which is still unpatched, affects all Cisco systems configured to use an early version of the Internet Key Exchange protocol. What is IKEv1, and how do attackers exploit it?
The BENIGNCERTAIN exploit revealed in the Shadow Brokers' data dump of the National Security Agency's (NSA) cyberweapons and zero-day exploits could allow an unauthenticated remote attacker to send an Internet Key Exchange (IKE) packet to a vulnerable Cisco PIX firewall or other Cisco devices, causing them to dump some of their memory. The attacker can then sift through this memory for confidential information, such as the RSA private key and other configuration data. This enables the attacker to gain access to an IPsec VPN.
The BENIGNCERTAIN exploit targets a vulnerability in version 1 of the IKE protocol, which is used by these Cisco products to set up the secure IPsec VPN tunnel. IKE, which was designed to secure VPN communications and remote network access, uses certificates for setting up a shared symmetric encryption to achieve the high bandwidth needed for IPsec VPNs.
IKEv2 was released in 2005, and it contained many improvements over IKEv1.
There are no workarounds for this vulnerability, which exists in certain versions of Cisco IOS, Cisco IOS XE and Cisco IOS XR. Enterprises can protect themselves from the BENIGNCERTAIN exploit by installing Cisco IOS XR Software releases 5.3.x and higher, or by upgrading to a new system that is not vulnerable to the exploit. Cisco PIX 7.0 and higher are not vulnerable to BENIGNCERTAIN.
The Cisco PIX firewalls targeted by BENIGNCERTAIN are at end of life, but appear to still be used in organizations targeted by the NSA. End of life Cisco PIX firewalls should be retired, since they have not been receiving security updates since 2009.
Cisco recommends that users of these products set up an intrusion prevention system or intrusion detection system to locate and stop exploits.
Find out about the critical Cisco WebEx browser extension vulnerability
Learn if the Diffie-Hellman key exchange method remains secure for enterprise use
Discover the security risks of reusing private encryption keys
Dig Deeper on VPN security
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading