Pierluigi Paganini
September 21, 2016
Recently experts from CISCO discovered a vulnerability, tracked as CVE-2016-6415, in IOS system,while investigating the Equation Group‘s exploits leaked by the Shadow Broker hacker group. In particular, experts from CISCO were evaluating the impact of the BENIGNCERTAIN exploit. The experts also discovered another zero-day exploit dubbed EXTRABACON that could be used to hack CISCO ASA software.
The CVE-2016-6415 resides in the IKEv1 packet processing code. A remote, unauthenticated attacker could exploit it retrieve memory contents.
“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” reads the security advisory published by Cisco.
The flaw affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.
Which is the real impact of the CVE-2016-6415 vulnerability?
The Shadowserver Foundation tried to provide further information to estimate the impact of the vulnerability in the wild, it has conducted an Internet scan for the Internet Security Association and Key Management Protocol (ISAKMP), which is a part of IKE.
“This scan is looking for devices that contain a vulnerability in their IKEv1 packet processing code that could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. More information on this issue can be found on Cisco’s site at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1” reads the page related to the Vulnerable ISAKMP Scanning Project.
“The goal of this project is to identify the vulnerable systems and report them back to the network owners for remediation. Information on these vulnerable devices has been incorporated into our reports and is being reported on a daily basis.”
With the support of CISCO experts, the organization queried all computers with routable IPv4 addresses that are exposed on the Internet without firewall protection. They used a specifically crafted 64 byte ISAKMP packet collecting the response from the scanned appliance.
“We normally tune our scans as tightly as possible to limit the impact on the end users as well as trying to be nice to the general network traffic. In this case we are not as tuned as we would like to be since we are having to do a full IKE negotiation making our packets almost 2600 bytes in size, at least in the first sets of tests. With a huge amount of assistance from Cisco we were able to reduce the packet size down to 64 bytes. ” reads the page on the “ISAKMP Scanning and Potential Vulnerabilities.”
The scan results are disconcerting, the experts discovered more than 840,000 unique IP addresses related to appliances vulnerable to the CVE-2016-6415 exploit.
Below the Top 20 countries with vulnerable ISAKMP
| Country | Total |
|---|---|
| United States | 255,606 |
| Russian Federation | 42,281 |
| United Kingdom | 42,138 |
| Canada | 41,115 |
| Germany | 35,132 |
| Japan | 33,092 |
| Mexico | 26,970 |
| France | 26,818 |
| Australia | 22,827 |
| China | 22,767 |
| Italy | 21,308 |
| Netherlands | 17,812 |
| Poland | 14,630 |
| Spain | 11,811 |
| Turkey | 10,355 |
| Brazil | 9,298 |
| Czech Republic | 8,943 |
| Ukraine | 8,514 |
| India | 8,282 |
| Korea, Republic of | 8,058 |
The highest percentage of vulnerable devices were in the United States (255,000), six times more than Russia (42,000), United Kingdom (42,000) and Canada (41,000). The experts also analyzed the autonomous system numbers (ASNs),discovering a predominance of Comcast and AT&T’s network IPs.
Below the top 20 ASNs With Vulnerable ISAKMP
| ASN | AS Name | Country | Total |
|---|---|---|---|
| AS7922 | COMCAST-7922 | US | 35,429 |
| AS7018 | ATT-INTERNET4 | US | 23,660 |
| AS8151 | Uninet | MX | 21,014 |
| AS3215 | AS3215 | FR | 16,427 |
| AS209 | CENTURYLINK-US-LEGAC | US | 14,445 |
| AS3320 | DTAG | DE | 13,991 |
| AS4713 | OCN | JP | 11,460 |
| AS3269 | ASN | IT | 10,265 |
| AS5089 | NTL | GB | 9,389 |
| AS4134 | CHINANET | CN | 9,203 |
| AS701 | UUNET | US | 8,766 |
| AS22773 | ASN-CXA-ALL-CCI-2277 | US | 8,722 |
| AS1221 | ASN | AU | 8,194 |
| AS20115 | CHARTER-NET-HKY-NC | US | 8,028 |
| AS7029 | WINDSTREAM | US | 8,015 |
| AS2856 | BT-UK | GB | 7,265 |
| AS9121 | TTNET | TR | 7,159 |
| AS6167 | CELLCO-PART | US | 6,758 |
| AS10796 | SCRR-10796 | US | 6,733 |
| AS2514 | INFOSPHERE | JP | 6,688 |
According to Shadowserver, there is no evidence that the products of vendors other than Cisco are affected by the vulnerability, but the organization noted that it is not a conclusive test.
Cisco has released an online tool that allows its customers to determine if their products are affected by the CVE-2016-6415 flaw.
[adrotate banner=”9″]
(Security Affairs – The Equation Group ATP, CVE-2016-6415)
Cyber Crime / November 15, 2024
