Cisco acknowledges asa zero day exposed by shadowbrokers
August 18, 2016
Seid Yassin (557 articles)

Cisco acknowledges asa zero day exposed by shadowbrokers

Cisco has quickly provided a workaround for one of two vulnerabilities that was disclosed in the ShadowBrokers’ data dump and issued an advisory on the other, which was patched in 2011, in order to raise awareness among its customers. The networking giant today released advisories saying that it had acknowledged both flaws in its Adaptive Security Appliance (ASA), the newest of which was rated high severity; both of the vulnerabilities enable remote code execution.

The ShadowBrokers are an unknown group of hackers that emerged over the weekend with claims it had hacked the Equation Group, a top-of-the-line APT believed to be the NSA. The group started an online auction of the Equation Group exploits it allegedly had in its possession. Late yesterday afternoon, researchers at Kaspersky Lab confirmed a connection between the available tools up for auction and previous exploits and malware frameworks belonging to the Equation Group. Most of the exploits in yesterday’s dump are for high-end enterprise networking gear, including Cisco, Juniper and Fortinet firewalls.

Fortinet today said that versions lower than 4.x of Fortigate firmware are affected by the vulnerability in the ShadowBrokers data dump, and users are urged to upgrade to 5.x immediately. Cisco said today it has not yet released software updates for ASA that address the zero-day vulnerability; there are workarounds as well that Cisco recommends until patches can be applied. The zero-day is in ASA’s SNMP implementation that could allow an unauthenticated remote attacker to remotely execute code on the box.

Cisco said it has released an IPS signature, Legacy Cisco IPS Signature ID: 7655-0, and a Snort rule, ID: 3:39885. “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” Cisco said in its advisory. “An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.

The attacker must know the SNMP community string to exploit this vulnerability.” Cisco said its Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 9300 ASA, Security Module, Cisco PIX Firewalls, Cisco Firewall Services Module (FWSM) are affected.

Source | threatpost