Pierluigi Paganini August 18, 2016

Customers of Cisco and Fortinet security firms need to patch their products to fix the flaws exploited by the Equation Group exploits and hacking tools.

While security experts are analyzing the hacking tools leaked in the data dump by the Shadow Brokers, security firms are working to fix the vulnerabilities exploited by the Equation Group toolsets.

Both Fortinet and Cisco have issued patches to address exploits that were leaked online, the list of affected products includes versions of Cisco’s PIX and ASA firewalls and versions of Fortinet Fortigate firewalls.

Cisco has confirmed that the two exploits EPICBANANA and EXTRABACON can be used to achieve remote code execution on Cisco firewalls.

Cisco confirmed that the code leaked by the “Shadow Brokers” includes exploits for the following flaws:

• Cisco ASA SNMP Remote Code Execution Vulnerability
• Cisco ASA CLI Remote Code Execution Vulnerability

The Cisco ASA SNMP Remote Code Execution vulnerability is a newly found vulnerability, both TALOS and Cisco IPS have produced signatures to detect them:

• Snort Rule ID: 3:39885
• Legacy Cisco IPS Signature ID: 7655-0

The Cisco ASA CLI Remote Code Execution Vulnerability was addressed in a defect fixed in 2011.

Fortinet also confirmed the bugs in its systems in a security advisory, the flaw is present in versions prior to 2012 of the FortiGate firmware.

The company informed its customers of the presence of a cookie parser buffer overflow, confirming that Versions 5.x are not affected.

“FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.” states the advisory.
 
“Affected firmware versions are lower versions of 4.x firmware release.  
FOS 5.x firmware is NOT affected.”

“This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over”, the advisory says. If a product can support 5.x firmware, that should be installed; if not, version 4.3.9 or above also fixes it.”

Customers of the company targeted by the exploits included in the leaked archive are invited to read the security advisory from the security vendors and to adopt the necessary countermeasure.

Let’s remind that despite the vast majority of the files is dated back 2013, in some cases the hacking tools could result still effective.

Stay Tuned

Pierluigi Paganini

(Security Affairs –  The Equation Group, ATP)