Cisco has confirmed the legitimacy of two exploits found in a data dump of code released by the Shadow Brokers hacker group. On 13 August, the mysterious hacking group announced an auction of files allegedly containing exploit code used by the Equation Group, a sophisticated threat actor which leverages unknown vulnerabilities in multiple vendor devices to conduct cyber espionage on behalf of the National Security Agency. Cisco's researchers took a look at the files. They found attackers could leverage the exploit code to compromise Cisco ASA and legacy PIX firewalls. The company's exposure comes down to two vulnerabilities: one Cisco already knew about, and one it didn't. The first, CVE-2016-6366, is a zero-day vulnerability in Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software. An unauthenticated, remote attacker could abuse the vulnerability to cause a reboot in affected products and achieve remote code execution (RCE). Cisco IPS and TALOS have both issued signatures to help detect exploitation of that flaw. The second vulnerability, CVE-2016-6367, received a patch back in 2011. Located in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) Software, it could allow an authenticated, local attacker to create a denial-of-service (DoS) condition. In total, researchers at the San Jose-based tech giant found three exploits in the Shadow Brokers' data dump that made use of the two vulnerabilities: EXTRABACON, EPICBANANA, and JETPLOW.
EXTRABACON abused CVE-2016-6366, while EPICBANANA leveraged CVE-2016-6367. As Cisco's Omar Santos explains in a blog post:
"The EPICBANANA malware has built in functionality to connect to an affected device via telnet or SSH. The attacker must source the attack from an IP address that is allowed by the ssh or telnet commands in the Cisco ASA. This is why it is a best practice to only allow SSH or telnet connections from trusted sources and on certain interfaces only (such as the management interface)."
JETPLOW essentially achieved a persistent effect of EPICBANANA. Customers with affected software are urged to implement the available rules and patches as soon as possible. In the meantime, following Kaspersky's finding that the leaked files overall bear a "strong connection" to the Equation Group, it remains to be seen which other vendors will step forward and confirm vulnerabilities. With that in mind, stay tuned, and get ready to do some more patching!