Governance & Risk Management , Network Firewalls, Network Access Control , Next-Generation Technologies & Secure Development

After Equation Group Dump, Cisco Finds New Zero-Day Flaw

Active Attacks Target Numerous Products, Technology Giant Warns
After Equation Group Dump, Cisco Finds New Zero-Day Flaw
Photo: Diesmer Ponstein (Flickr/CC)

The fallout from the leak of the Equation Group's attack tools and exploits continues. Cisco has issued patches for several versions of its latest network operating systems that the company says attackers have been exploiting.

See Also: On Demand | Unleash the Firewall Across the Multi-Cloud

The latest vulnerability was uncovered by Cisco as it investigated deeper a set of attack tools released in mid-August by a mysterious group calling itself the Shadow Brokers. The tools came from the Equation Group, the nickname for a group of hackers that experts believe may be part of the NSA's Tailored Access Operations group (see Mystery Surrounds Breach of NSA-Like Spying Toolset).

Cisco's products were hit hard by the Equation Group leak, as it contained effective attack tools for a range of Cisco's firewall and networking products. Following the attack-tool dump, Cisco began taking a closer look at the code that runs its devices, leading to the discovery of this new zero-day vulnerability. The bug involves a flaw that is closely related to one found in its PIX firewall line, which was targeted by an Equation Group exploit called BENIGNCERTAIN.

The latest vulnerability affects many of Cisco's current networking operating systems, including IOS, IOS XE and IOS XR. Those systems run on everything from home office routers to carrier-grade equipment.

The finding shows that the Equation Group leak is still packing quite a punch. Cisco's latest disclosure means that just before the data dump in mid-August, the Equation Group likely knew of flaws in many of the company's products dating from 2002 through this month, which would have facilitated a powerful global spying arsenal.

Security researcher Mustafa Al-Bassam, a doctoral student at University College London who has been extensively analyzing the dump, made this claim on Twitter: "The NSA has been sitting on a zero day exploit to remotely grab VPN keys from Cisco firewalls for fourteen years."

Bug in Internet Key Exchange

The latest flaw to be identified lies in Internet Key Exchange version 1, or IKEv1. The problem is an insufficient condition check in code that deals with IKEv1 security negotiation requests, the company says.

"An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests," the Cisco advisory says. "A successful exploit could allow the attacker to retrieve memory contents, which could lead to the disclosure of confidential information."

Cisco is still figuring out exactly which versions of its IOS, IOS XE and IOS XR product lines are affected. "As the investigation progresses, Cisco will update this advisory with information about affected products, including the ID of the Cisco bug for each affected product," it says.

The flaw is similar to one targeted by BENIGNCERTAIN, which allows attackers to extract private VPN keys by triggering a PIX firewall to dump its memory. Cisco hasn't issued a patch for PIX because it stopped selling the devices in 2008 and halted support three years ago. Nonetheless, thousands of PIX firewalls are still in use.

Plenty of Patches

Cisco wasn't the only firewall and networking vendor affected by the data dump, which also contained tools and exploits targeting products made by Fortinet, Topsec and WatchGuard. But Cisco's widely used products arguably received the most attention after the leak.

In late August, Cisco patched a zero-day buffer overflow vulnerability that affected versions of its Adaptive Security Appliances. The flaw was targeted by an exploit that was code-named EXTRABACON (see NSA Pwned Cisco VPNs for 11 Years).

ASA devices were also targeted by another exploit called EPICBANANA, but that vulnerability was patched by Cisco in 2011.

The Shadow Brokers have been quiet since their first release. It's unclear how they were able to get the Equation Group's tools. One theory is that the tools were placed on a proxy server used to stage attacks and mistakenly left on it, as it's unlikely that the NSA was directly hacked.

In follow-up research, Kaspersky Lab found a strong connection between the code released by the Shadow Brokers and that of the Equation Group. The implementation of cryptography algorithms was nearly the same, Kaspersky's researchers say (see Confirmed: Leaked Equation Group Hacking Tools Are Real).

While many experts weren't exactly impressed by the coding skills displayed by the Equation Group, many found that the tools, implants and exploits worked as presented. Al-Bassam has published a guide to the tools on his website.

In light of the Equation Group leaks and other attacks, the U.S. Computer Emergency Readiness Team earlier this month issued a broad warning to administrators to be vigilant in defending crucial networking equipment such as firewalls, routers and switches (see While NSA Hacks, US-CERT Frets).

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.