The leaking of BENIGNCERTAIN, an NSA exploit targeting a vulnerability in legacy Cisco PIX firewalls that allows attackers to eavesdrop on VPN traffic, has spurred Cisco to search for similar flaws in other products – and they found one.
CVE-2016-6415 arises from insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests.
“The IKE protocol is used in the Internet Protocol Security (IPsec) protocol suite to negotiate cryptographic attributes that will be used to encrypt or authenticate the communication session,” the company explained.
The flaw affects Cisco IOS, Cisco IOS XE and Cisco IOS XR Software, and could allow unauthenticated, remote attackers to retrieve memory contents. This could result in the attackers extracting the decryption keys, and using them to decrypt the encrypted traffic that passes through the affected device.
“An attacker could exploit this vulnerability using either IPv4 or IPv6 on any of the listed UDP ports,” they added. “This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected. Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”
The vulnerability also exists in some Cisco PIX firewalls, which have not been supported since 2009.
If you’re using a Cisco device that runs one of the aforementioned software, check out the security advisory to see whether the version you’re running is vulnerable, and check back often to see when Cisco will provide a software update to address it.
Cisco pointed out there are no workarounds for addressing the flaw, and noted that its Product Security Incident Response Team is “aware of exploitation of the vulnerability for some Cisco customers who are running the affected platforms.”
Until a security update is provided, administrators of affected devices are advised to keep a close eye on them and to implement intrusion prevention and/or detection systems to spot exploitation attempts.
“Cisco IPS Signatures 7699-0 and Snort SIDs 40220(1), 40221(1), 40222(1) can detect attempts to exploit this vulnerability,” the company concluded.