CVE-2016-6415 – CISCO confirms a new Zero-Day linked to Equation Group hack

Cisco revealed the existence of another zero-day vulnerability, tracked as CVE-2016-6415, in the Equation Group archive leaked by the Shadow Broker hackers.

This summer a group of hackers known as Shadow Brokers hacked into the arsenal of the NSA-linked group Equation Group and leaked roughly 300 Mb of exploits, implants, and hacking tools.

The existence of the Equation Group was revealed in February 2015 by security researchers at Kaspersky. The alleged nation-state actor has been operating since 2001 and targeted practically every industry with  sophisticated zero-day exploits.

According to a report from Kaspersky Lab, the Equation Group combined sophisticated and complex Tactics, Techniques, and Procedures. The experts at Kaspersky speculated that the Equation Group had interacted with operators behind Stuxnet and Flame. Based on the elements collected in the various cyber espionage campaigns across the years, the experts hypothesized that the National Security Agency (NSA) could be linked to the Equation Group.

After Shadow Brokers leaked the archive online, major vendors like CISCO, Juniper, and Fortinet analyzed their systems in order to find the vulnerabilities exploited by the Equation Group’ exploits and fix them.

CISCO, for example, discovered in the arsenal a tool dubbed EXTRABACON that was able to hack into CISCO ASA boxes.

The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory  published by CISCO.

At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.

The analysis of material leaked online revealed the existence of another exploit dubbed BENIGNCERTAIN that allows the extraction of VPN passwords from certain Cisco devices.

The expert Mustafa Al-Bassam who analyzed the data dump has called the attack “PixPocket” after the name of the Cisco products hacked by the tool, the Cisco PIX.

The CISCO PIX product family was declared phase out back in 2009, but it is widely adopted by government entities and enterprises.

According to the expert, the tool works against the CISCO PIX versions 5.2(9) up to 6.3(4). According to Cisco, the exploit does not affect PIX versions 7.0 and later, the IT giant confirmed on August 19 that it had not identified any new flaws linked to the BENIGNCERTAIN exploit.

Unfortunately, further analysis revealed that the flaw exploited by the BENIGNCERTAIN, tracked as CVE-2016-6415, also affects products running IOS, IOS XE and IOS XR software.

The CVE-2016-6415 resides in the IKEv1 packet processing code. A remote, unauthenticated attacker could exploit it retrieve memory contents.

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” reads the security advisory published by Cisco.

The flaw affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.

CISCO confirmed that all the firewalls belonging to the PIX family and all the products running affected versions of IOS, IOS XE and IOS XR are vulnerable if they are configured to use IKEv1.

The bad new is CISCO is aware of cyber attacks against some customers trying to exploit the vulnerability.

Waiting for security patches for CVE-2016-6415, CISCO has published indicators of compromise (IoC) and urge its customers to protect vulnerable products with IPS and IDS solutions.

“This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected,” Cisco said. “Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  The Equation Group ATP, CVE-2016-6415)