Cisco and Fortinet Release Equation Group Data Leaks

    In the last post, we dwelled in more detail on the contents of the archive leaked to the network with the Equation Group cybergroup data. We also indicated that the names of the exploits and implants (components) of the malware correspond to the names from the NSA ANT archive. Cisco and Fortinet (Fortigate Firewall) were mentioned in a number of mentioned vendors, whose devices were targeted by exploits. In the case of Cisco, we are talking about two exploits for Cisco ASA devices, PIX and Firewall Services Module with the names ANT EXTRABACON (EXBA) and EPICBANANA (EPBA). The first exploit is of type 0day and uses a previously unknown vulnerability with the identifier CVE-2016-6366 (Cisco ASA RCE vulnerability). The second uses the fixed 1day vulnerability with identifier CVE-2016-6367 (Cisco ASA CLI RCE).

    The following is information from the Cisco blog that shows the correspondence between Equation Group exploits and vulnerability names. It also mentions the JETPLOW implant, which is used as a backdoor for firmware on a network device. The following is a description of JETPLOW from the ANT slide.


    Exploit names and associated vulnerabilities in Cisco products. Only the JETPLOW component can ensure stability in the system (persistent) and work after a reboot.


    NSA ANT catalog slide that describes the JETPLOW implant for Cisco devices.

    EXTRABACON exploits the RCE vulnerability in the firmware of a Cisco network device, which is present in the code responsible for processing and parsing Simple Network Management Protocol (SNMP) packets. The vulnerability is relevant for device families such as the Cisco ASA, Cisco PIX, and Cisco Firewall Services Module. It allows you to remotely execute code on the device and get full access to it for attackers.

    The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.

    Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability


    General operation diagram CVE-2016-6366 (EXTRABACON).

    The following device models are subject to CVE-2016-6366: Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches & Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall , Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 9300 ASA Security Module, Cisco PIX Firewalls, Cisco Firewall Services Module (FWSM).

    An update for this vulnerability has not yet been released.

    The EPICBANANA exploit uses a previously unknown, but no longer relevant (fixed) vulnerability with the identifier CVE-2016-6367 in the following device models and products: Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco PIX Firewalls, Cisco Firewall Services Module (FWSM). The vulnerability has been fixed since Cisco ASA v8.4 (3).

    A vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device.

    Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability

    If the above exploits are used to remotely execute code on a network device, then JETPLOW gives attackers unlimited access to it and the ability to execute commands on it at any time. As a Cisco blog post points out, a secure boot protection measure called Cisco Secure Boot can counteract the boot of a device compromised by the JETPLOW implant by signing the firmware file with a digital certificate.

    Cisco Secure Boot also mitigates this issue. Cisco Secure Boot is a secure startup process that the Cisco device performs each time it boots up. Beginning with the initial power-on, special purpose hardware verifies the integrity of the first software instructions that execute and establishes a chain of trust for the ROMMON code and the Cisco ASA image via digital signatures as they are loaded. If any failures are detected, the user is notified of the error and the device will wait for the operator to correct the error. This prevents the network device from executing compromised software.

    Fortinet experts have released security notification FG-IR-16-023 (Cookie Parser Buffer Overflow Vulnerability), which refers to the vulnerability used by the EGREGIOUSBLUNDER (EGBL) exploit. The vulnerability affects the FortiGate (FOS) firmware product versions lower than 4.3.8 and can be used to gain full control over the device due to a specially crafted HTTP request. The FOS 5.x family of versions is not affected by this vulnerability. An update for older versions has not yet been released.

    Also popular now: