14 DAY TRIAL // An exploit leaked in The Shadow Brokers data dump in August, believed to affect only discontinued Cisco PIX firewalls, also affects current device models and has even been used in live attacks, according to a Cisco advisory released last week.
"Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms," the Cisco team explained on Friday, September 16.
BENINGCERTAIN can steal VPN keys
The exploit, nicknamed BENIGNCERTAIN (or Pix Pocket), was part of a gigantic data trove dumped online by a mysterious hacking crew that claimed they stole them from the operational server of a cyber-espionage group named Equation Group, which cyber-security vendors think it may be the NSA.
The exploit (CVE-2016-6415) employs a vulnerability in how the firmware of certain Cisco firewalls deals with IKEv1 and IKEv2 packets.
Sending a few malformed packets to an affected Cisco firewall would allow the attacker to read data from the device's memory and retrieve RSA private keys, VPN keys, and other sensitive configuration information.
BENINGCERTAIN affects many current Cisco device models
Back in August, researchers created fully functional proof-of-concept code that exploited this flaw, but they only tested it on ancient Cisco PIX firewalls, which Cisco discontinued in 2009.
Researchers only tested the exploit on older Cisco PIX versions, because clues in the BENINGCERTAIN source code hinted that it would only work on these devices.
In the meantime, Cisco has conducted tests with BENINGCERTAIN and now says that some current device models are also affected. The company says devices running IOS, IOS XE, and IOS XR software may also be affected. An exact list of vulnerable devices is available in the Cisco security advisory.
No firmware updates available yet
When the Shadow Brokers data dump was released, Cisco was the first company to patch the zero-days included in the leaked files. Cisco released fixes for attack tools known as EPICBANANA, JETPLOW, and EXTRABACON.
In the following days, other networking hardware manufacturers also patched their firmware against the Shadow Brokers exploit.
At the time of writing, Cisco hasn't released a firmware update to address BENINGCERTAIN attacks, and there's no workaround for protecting vulnerable equipment unless administrators are willing to pull the devices out of their network.
The NSA has been sitting on a zero day exploit to remotely grab VPN keys from Cisco firewalls for FOURTEEN years. https://t.co/0VjNn0h6W9 — Mustafa Al-Bassam (@musalbas) September 19, 2016