A Cisco security advisory warned against a Cisco PIX firewall flaw that is vulnerable to the BENIGNCERTAIN exploit...
exposed in the Shadow Brokers' data dump. The vulnerability, which is still unpatched, affects all Cisco systems configured to use an early version of the Internet Key Exchange protocol. What is IKEv1, and how do attackers exploit it?
The BENIGNCERTAIN exploit revealed in the Shadow Brokers' data dump of the National Security Agency's (NSA) cyberweapons and zero-day exploits could allow an unauthenticated remote attacker to send an Internet Key Exchange (IKE) packet to a vulnerable Cisco PIX firewall or other Cisco devices, causing them to dump some of their memory. The attacker can then sift through this memory for confidential information, such as the RSA private key and other configuration data. This enables the attacker to gain access to an IPsec VPN.
The BENIGNCERTAIN exploit targets a vulnerability in version 1 of the IKE protocol, which is used by these Cisco products to set up the secure IPsec VPN tunnel. IKE, which was designed to secure VPN communications and remote network access, uses certificates for setting up a shared symmetric encryption to achieve the high bandwidth needed for IPsec VPNs.
IKEv2 was released in 2005, and it contained many improvements over IKEv1.
There are no workarounds for this vulnerability, which exists in certain versions of Cisco IOS, Cisco IOS XE and Cisco IOS XR. Enterprises can protect themselves from the BENIGNCERTAIN exploit by installing Cisco IOS XR Software releases 5.3.x and higher, or by upgrading to a new system that is not vulnerable to the exploit. Cisco PIX 7.0 and higher are not vulnerable to BENIGNCERTAIN.
The Cisco PIX firewalls targeted by BENIGNCERTAIN are at end of life, but appear to still be used in organizations targeted by the NSA. End of life Cisco PIX firewalls should be retired, since they have not been receiving security updates since 2009.
Cisco recommends that users of these products set up an intrusion prevention system or intrusion detection system to locate and stop exploits.
Find out about the critical Cisco WebEx browser extension vulnerability
Learn if the Diffie-Hellman key exchange method remains secure for enterprise use
Discover the security risks of reusing private encryption keys
Dig Deeper on VPN security
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.