Cisco, Fortinet validate exploits leaked by the Shadow Brokers

Get a copy of the upcoming book "Secure Operations Technology"

Cisco and Fortinet have released security advisories confirming that some of the exploits leaked by the Shadow Brokers work as intended.

exploits leaked

The entity released the batch as proof that the rest of the data they are selling (and have allegedly stolen from the Equation Group threat actor) is worth buying.

Cisco’s reaction

According to Omar Santos, the Principal Engineer in the Cisco Product Security Incident Response Team, the leaked data contains three references to exploits that affect Cisco ASA, Cisco PIX, and Cisco Firewall Services Module: EXTRABACON, EPICBANANA, and JETPLOW.

EXTRABACON exploits a zero-day buffer overflow vulnerability (CVE-2016-6366) in the SNMP code of the Cisco ASA, Cisco PIX, and Cisco Firewall Services Module. It allows attackers to execute arbitrary code and obtain full control of the system if certain requirements are met first (the affected device must be configured for SNMP with the snmp-server enable command, the attacker must know the SNMP community string).

There is currently no patch for the flaw, but Cisco has offered some workarounds and produced a Snort rule and a Legacy Cisco IPS Signature that should help with detecting exploitation of the issue.

EPICBANANA exploits an RCE flaw (CVE-2016-6367) in the command-line interface parser of Cisco Adaptive Security Appliance (ASA) Software. An attacker must be authenticated to trigger this vulnerability.

The flaw was known to and patched by Cisco in 2011, but the company now re-issued the original security advisory to remind those who haven’t implemented the patch (i.e. the software update containing it) to get on it fast, as the exploit is now public.

“JETPLOW is a persistent implant of EPICBANANA,” Santos finally explained, and linked to a document that explains how admins can check whether the software on a Cisco firewall running Cisco ASA Software has been modified.

Fortinet’s reaction

Fortinet has published an advisory about a cookie parser buffer overflow vulnerability in its FortiGate firmware that could allow remote code execution. The exploit for it is included in the leak, but Fortinet noted that the flaw was known and has already been patched.

The vulnerability exists in the firmware released before Aug 2012 (4.3.8 and below, 4.2.12 and below, 4.1.10 and below) and has been patched in versions 5.x and 4.3.9 or above.

The company has added that they are investigating whether other Fortinet products are vulnerable.

What now?

If the leaked data came from the Equation Group – a group that is widely believed to have ties to the NSA – it could mean that the agency knew about the zero-day bug in Cisco’s firewalls and didn’t disclose it to the company.

Add to this previous revelations that the NSA has been intercepting networking devices exported from the US and implanting them with backdoor surveillance tools, and you can see how these US companies’ executives might be angry.

Whether they can do something about it is doubtful: the Obama administration has allowed the NSA to keep flaws that can be used to serve “a clear national security or law enforcement need” secret.

The Shadow Brokers’ leak also includes exploits for flaws in networking devices by Juniper and Chinese manufacturers TOPSEC and Shaanxi Networkcloud Information Technology, but they have yet to comment on it.

One thing is sure, though: network admins around the world will have their hands full with updates and mitigations in the days to come.