PINDROP BLOG

Cisco Warns of Firewall 0-Day From Shadow Brokers Dump

The fallout from the release of a huge toolset believed to have been used by a team of NSA-linked hackers continues, as vendors have begun releasing advisories about some of the vulnerabilities exposed in the Equation Group files.

Cisco is among the first companies to warn customers about bugs in their products, specifically a high-severity flaw in its ASA and PIX firewalls. Those appliances are used widely in both enterprise and government environments, and the vulnerability affects all versions of the ASA firewalls, Cisco said. The bug is in the SNMP implementation in Cisco’s appliances and the company said that it does not yet have a patch ready to fix it.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code,” Cisco said in its advisory.

“An exploit could allow the attacker to execute arbitrary code and obtain full control of the system.”

“The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”

The Cisco vulnerability is just one of dozens revealed in the files posted several days ago by a group calling itself Shadow Brokers. The files apparently came from a server used by the Equation Group, a high-level hacking team that many observers believe to be affiliated with the NSA. The Equation Group’s attack platform and some of its tools were disclosed last year by researchers at Kaspersky Lab, who said this week that the Shadow Brokers’ dump has a strong connection to the Equation Group.

Cisco said that there are some conditions that must be met in order for the ASA and PIX vulnerability to be exploited successfully.

“Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic only,” the advisory said.

The Shadow Brokers release included not just information on the vulnerability, but also an exploit for it, making it especially dangerous. Cisco didn’t specify when a patch for the flaw would be available.

Webinar: Call Center Fraud Vectors & Fraudsters Analyzed