NSA BENIGNCERTAIN tool can obtain VPN Passwords from CISCO PIX

Researchers tested the BENIGNCERTAIN tool included in the NSA data dump that allows attackers to extract VPN passwords from certain Cisco devices.

Following the disclosure of the NSA dump, IT vendors Cisco and Fortinet issued security patches to fix the flaws exploited by the Equation Group in their products.

BENIGNCERTAIN, Equation Group

Now, security researchers have uncovered another exploit included in the leaked dump, dubbed BENIGNCERTAIN that allows the extraction of VPN passwords from certain Cisco devices.

The expert Mustafa Al-Bassam who analyzed the data dump has called the attack “PixPocket” after the name of the Cisco products hacked by the tool, the Cisco PIX.

The CISCO PIX product family was declared phase out back in 2009, but it is widely adopted by government entities and enterprises.

According to the expert, the tool works against the CISCO PIX versions 5.2(9) up to 6.3(4).

Al-Bassam discovered that the tool could be used to send a packet to the target machine that makes it dump a portion of the memory that includes the VPN’s authentication password.

The security expert Brian Waters also tested the BENIGNCERTAIN exploits confirming that it works.

“it’s a PIX 501 running 6.3(5)145; and I used v1110 of the exploit” added 501 running 6.3(5)145; and I used v1110 of the exploit” added Waters in a second Tweet, this means that the BENIGNCERTAIN could work also against other versions of the PIX.

This means that NSA could have remotely sent a packet to a target VPN to obtain its preshared key and decrypt the traffic.

Cisco published the blog post titled “The Shadow Brokers EPICBANANAS and EXTRABACON Exploits” to provide further details about its investigation of the tools included in the arsenal of the Equ ation Group leaked online.

The Cisco security team is still investigating the content of the leaked data dump to verify the if other hacking tools could be exploited against its products.

“On August 19th, articles were release regarding the BENIGNCERTAIN exploit potentially being used to exploit legacy Cisco PIX firewalls. Our investigation so far has not identified any new vulnerabilities in current products related to the exploit. Even though the Cisco PIX is not supported and has not been supported since 2009 (see EOL / EOS notices), out of concern for customers who are still using PIX we have investigated this issue and found PIX versions 6.x and prior are affected. PIX versions 7.0 and later are confirmed to be unaffected by BENIGNCERTAIN. The Cisco ASA is not vulnerable.” wrote CISCO.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – BENIGNCERTAIN, Equation Group)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.