Over 840,000 Cisco systems affected by the Equation Group’s flaw CVE-2016-6415

Pierluigi Paganini September 21, 2016

The Shadowserver Foundation has conducted a scan of the Internet for CISCO devices running IOS software affected by the CVE-2016-6415 vulnerability.

Recently experts from CISCO discovered a vulnerability, tracked as CVE-2016-6415, in IOS system,while investigating the Equation Group‘s exploits leaked by the Shadow Broker hacker group. In particular, experts from CISCO were evaluating the impact of the BENIGNCERTAIN exploit. The experts also discovered another zero-day exploit dubbed EXTRABACON that could be used to hack CISCO ASA software.

The CVE-2016-6415 resides in the IKEv1 packet processing code. A remote, unauthenticated attacker could exploit it retrieve memory contents.

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” reads the security advisory published by Cisco.

The flaw affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.

Which is the real impact of the CVE-2016-6415 vulnerability?

The Shadowserver Foundation tried to provide further information to estimate the impact of the vulnerability in the wild, it has conducted an Internet scan for the Internet Security Association and Key Management Protocol (ISAKMP), which is a part of IKE.

“This scan is looking for devices that contain a vulnerability in their IKEv1 packet processing code that could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information. More information on this issue can be found on Cisco’s site at: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1” reads the page related to the Vulnerable ISAKMP Scanning Project.

“The goal of this project is to identify the vulnerable systems and report them back to the network owners for remediation. Information on these vulnerable devices has been incorporated into our reports and is being reported on a daily basis.”

With the support of CISCO experts, the organization queried all computers with routable IPv4 addresses that are exposed on the Internet without firewall protection. They used a specifically crafted 64 byte ISAKMP packet collecting the response from the scanned appliance.

“We normally tune our scans as tightly as possible to limit the impact on the end users as well as trying to be nice to the general network traffic.  In this case we are not as tuned as we would like to be since we are having to do a full IKE negotiation making our packets almost 2600 bytes in size, at least in the first sets of tests.  With a huge amount of assistance from Cisco we were able to reduce the packet size down to 64 bytes. ”  reads the page on the “ISAKMP Scanning and Potential Vulnerabilities.”


The scan results are disconcerting, the experts discovered more than 840,000 unique IP addresses related to appliances vulnerable to the CVE-2016-6415 exploit.

Below the Top 20 countries with vulnerable ISAKMP

Country Total
United States 255,606
Russian Federation 42,281
United Kingdom 42,138
Canada 41,115
Germany 35,132
Japan 33,092
Mexico 26,970
France 26,818
Australia 22,827
China 22,767
Italy 21,308
Netherlands 17,812
Poland 14,630
Spain 11,811
Turkey 10,355
Brazil 9,298
Czech Republic 8,943
Ukraine 8,514
India 8,282
Korea, Republic of 8,058

The highest percentage of vulnerable devices were in the United States (255,000), six times more than Russia (42,000), United Kingdom (42,000) and Canada (41,000). The experts also analyzed the autonomous system numbers (ASNs),discovering a predominance of Comcast and AT&T’s network IPs.

Below the top 20 ASNs With Vulnerable ISAKMP

ASN AS Name Country Total
AS7922 COMCAST-7922 US 35,429
AS7018 ATT-INTERNET4 US 23,660
AS8151 Uninet MX 21,014
AS3215 AS3215 FR 16,427
AS3320 DTAG DE 13,991
AS4713 OCN JP 11,460
AS3269 ASN IT 10,265
AS5089 NTL GB 9,389
AS4134 CHINANET CN 9,203
AS701 UUNET US 8,766
AS22773 ASN-CXA-ALL-CCI-2277 US 8,722
AS1221 ASN AU 8,194
AS2856 BT-UK GB 7,265
AS9121 TTNET TR 7,159
AS10796 SCRR-10796 US 6,733

According to Shadowserver, there is no evidence that the products of vendors other than Cisco are affected by the vulnerability, but the organization noted that it is not a conclusive test.

Cisco has released an online tool that allows its customers to determine if their products are affected by the CVE-2016-6415 flaw.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  The Equation Group ATP, CVE-2016-6415)

you might also like

leave a comment