lolloj - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Shadow Brokers' Cisco vulnerability exploited in the wild

Cisco warns that an as-yet unpatched vulnerability derived from Shadow Brokers' BENIGNCERTAIN hacking tool is being exploited in the wild.

Cisco released a security advisory for another vulnerability exposed by the Shadow Brokers' cyberweapons dump, which is currently being used to exploit affected systems.

Cisco stated there are no workarounds to address the vulnerability, and it advised administrators of vulnerable systems to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect attacks using the vulnerability.

The new vulnerability is based on the BENIGNCERTAIN exploit leaked in the Shadow Brokers' dump last month, which affected Cisco's legacy PIX firewall line. The vulnerability, assigned to CVE-2016-6415, affects all versions of Cisco IOS XE, Cisco IOS XR Software releases prior to 5.3.x and many versions of Cisco IOS -- but only for systems configured to use Internet Key Exchange protocol, version 1 (IKEv1).

"A vulnerability in IKEv1 packet-processing code in Cisco IOS, Cisco IOS XE and Cisco IOS XR software could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information," Cisco wrote in its advisory. "The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests. A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information."

Cisco spokesperson Yvonne Malmgren said the reports of the vulnerability being actively exploited were discovered "as part of the ongoing investigation of the Shadow Brokers' disclosure, which began on Aug. 15, 2016."

"Cisco has established an Event Response Page," Malmgren told SearchSecurity. "We disclosed the vulnerability, even though the patches are still under development, because we learned that there may be public awareness of the vulnerability. This ensures our customers have the same level of information and awareness that we do, and can actively monitor and protect their networks. We will begin publishing fixes in current IOS versions in the coming days."

Experts suggested this may not be the last vulnerability to be revealed as a result of the Shadow Brokers' cyberweapons dump last month.

"The Shadow Brokers released a lot of information, so it may take some time for researchers to go through everything to see what's there," said Cris Thomas, strategist at Tenable Network Security, based in Columbia, Md. "There's no way to know for sure until someone sifts through all of the data."

"Cisco has said that they continue to look for other places and products that could be vulnerable as well," said Daniel Miessler, director of advisory services at IOActive Inc., based in Seattle. "While it would be speculative to say, but it seems likely, given the suggestive and anticipatory language being used by the vendor," Cisco will find more vulnerabilities based on the Shadow Brokers' cache.

Thomas Pore, director of IT and services at cybersecurity vendor Plixer International Inc., based in Kennebunk, Maine, said: "Since this flaw was not released by the Shadow Brokers, but was similar to a flaw BENIGNCERTAIN, it's almost certain this will not be the last zero day that Cisco addresses. Cisco is doing [its] due diligence looking into the flaws that were exposed."

Miessler agreed it was quite likely not the last vulnerability to surface as a result of the Shadow Brokers' leak. "The researcher consensus is that such teams have a large collection of similar vulnerabilities and exploits. This is, in all likelihood, simply one of many."

Experts also agreed similar vulnerabilities may also be hiding in other vendors' gear as well.

"IKE has been around since 1998, and as with most encryption technology, it's not the algorithm that is usually the problem -- it's the implementation," Thomas said. "The IKE specifications are open to a significant degree of interpretation, and if other vendors implemented IKE in the same way, then they might have a similar vulnerability. Hopefully, vendors will be reviewing their code for such problems now that this latest bug has been released."

Mustafa Al-Bassam, the former black hat hacker and current security researcher who posted an analysis of the BENIGNCERTAIN vulnerability, noted that the flaw dates back to at least 2004 based on the versions of Cisco PIX -- 5.2(9) to 6.3(4) -- referenced by the hacking tool.

There was also concern about the fact that Cisco's IKEv1 support in older, legacy PIX systems was reproduced in its more current product line.

"While it's not shocking that a vulnerability showed up in PIX software versions, it's interesting that the same vulnerability appears in the latest versions of networking software for other platforms," Pore said. "I wonder if the same functions from the PIX code repositories were carried over to newer development platforms, or maybe the same engineers were involved. Either way, it's alarming that a single vulnerability affects so much of the world's networking infrastructure."

"Some code tends to have a longer life, especially in common modules," Thomas said. "Code does not get completely rewritten just because there is new hardware or a new version. In fact, reusing code is a common practice throughout the entire industry.

"In cases such as this, customers should definitely follow the manufacturer's recommendations," Thomas said. "If they are still using outdated equipment, or equipment that is no longer supported, such as a Cisco PIX, now would be a great time to replace it."

"In addition to IDS/IPS to detect and prevent attacks attempting to exploit this flaw, customers with affected platforms need to carefully review and monitor traffic to and, more importantly, from their network," Pore added.

"Customers should be moving faster than ever toward a zero-trust model within their organizations. Having hardware or software provided by well-known brands is no longer enough -- if it ever was -- to make an assumption of security," Miessler suggested. "The components of any system can have legitimate, accidental flaws; they could be backdoored on purpose by an assortment of actors at the time of creation; they could have been since modified during a breach, etc.

"The assumption has to be that all components are either potentially compromised or able to be compromised, and the security program should be built so that prevention, detection and response are still viable to whatever degree possible, given this environment."

Next Steps

Find out more about evaluating intrusion detection system vendors for the enterprise.

Learn about the three most important criteria to consider when purchasing IPS products.

Read about seven factors to consider for wireless intrusion protection systems.

Dig Deeper on Hacker tools and techniques: Underground hacking sites