Protect Your Business from the Newly Released NSA Exploits

Joshua Valentine

If you aren’t aware of the recent bombshell that hit the security (and geopolitical) community, take a look: http://tinyurl.com/hosofzd.

A claim has been made by a group of security researchers – calling themselves “Shadow Brokers”. They claim to possess a large number of “cyber weapons”, security exploits that affect many border appliances such as firewalls and routers. There has been a free sampling of their holdings and an auction portion that has yet to be released. Security professionals around the globe, including some of us at CBTS, have been analyzing this free release.  Here is what network, IT and security professionals need to be aware of and look out for.

The free release contains exploit code. These exploits mostly target Cisco, Fortinet, TOPSEC, Juniper, and WatchGuard products. We will briefly cover what we know thus far and what is most likely to impact our customers, the community, and what actions can be taken.

Cisco has provided a nice write-up detailing the information that affects their products[1]. The main issues involve:
  1. A buffer overflow vulnerability in the SNMP code of the Cisco ASA, coined EXTRABACON
  2. A vulnerability that could allow an authenticated user to perform a denial of service (DoS) attack or execute arbitrary code, coined EPICBANANA
EPICBACON targets a vulnerability in Cisco ASA, Cisco PIX, and Cisco Firewall Services Module products[2]. All Cisco ASA releases are affected and no official fix has been released by Cisco as of this writing. The Shadow Brokers release included a working exploit for this vulnerability.  There is, however, a workaround published by Cisco in their bulletin.

In order to successfully exploit this vulnerability, the attacker must know the community strings. SNMP community strings are like passwords that control read-only and read-write access to SNMP data. These are typically set by the vendor to a common default and should be changed after devices are deployed. Another option is to not allow SNMP, ssh or telnet to be public facing. This is a business decision that will need to be made if those services are required over the Internet.

The EPICBANANA exploit leverages a vulnerability that has been fixed since Cisco ASA version 8.4(3). The attacker must be authenticated. This can be done via telnet or ssh and affects Cisco ASA 5500/5500-x, Cisco PIX Firewalls, and Cisco Firewall Services Modules. There are no workarounds to resolve this issue. This has been fixed in Cisco ASA Software Releases 8.4.1 and newer. The remediation for this issue is to upgrade. Again, a working exploit for this issue was disclosed by Shadow Brokers in their release.

Fortinet has released information on a buffer overflow vulnerability in its FortiGate firmware[1].The versions that are affected are those released before August 2012 and include Fortigate FOS:
  • 4.3.8 and below
  • 4.2.12 and below
  • 4.1.10 and below
This vulnerability involves a specially crafted HTTP request that can result in execution control being overtaken. This issue can be mitigated by upgrading to FOS 5.x or FOS to 4.3.9 or newer.

WatchGuard has also released information on the portions of this release that affect their products[2]. Their advisory details a component of the release that involves running a script, for an authenticated user, that installs a backdoor in an application on compromised devices through backdoors. WatchGuard details how this only affects older products in their lineup, namely RapidStream appliances. The issues that affect RapidStream appliances did not carry over to WatchGuard products.

This short summary hopefully details the importance of running update vendor software and ensuring a secure configuration. CBTS will continue to monitor this release as it develops and update any information we find to help our customers. In the meantime, when was the last time your business had a penetration test? CBTS can help.
 
  1.  http://blogs.cisco.com/security/shadow-brokers
  2. http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
  3. http://fortiguard.com/advisory/FG-IR-16-023
  4.  https://www.secplicity.org/2016/08/16/nsa-equation-group-exploit-leak-mean/
comments powered by Disqus