Customers of certain Cisco and Fortinet security gear need to patch exploits made public this week after a purported hack of NSA malware.
Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.
Other exploits may affect WatchGuard and TOPSEC products, but those companies did not immediately respond to inquiries. When they do this story will be updated.
UPDATE 1: WatchGuard says the dump includes an exploit that targeted appliances made by RapidStream, which WatchGuard bought in 2002. "This RapidStream exploit did not carry over into any WatchGuard appliances and is not a vulnerability for our current customers," a spokesperson says in an email. Detalis are in a WatchGuard blog here.
UPDATE 2: Juniper Networks is checking whether the revelations affect its gear. "We are currently reviewing all available information as related to the disclosures allegedly from the Equation Group, and will analyze any new information that becomes available," a spokesperson wrote in an email. "If a product vulnerability is identified, we will address the matter and communicate to our customers through our standard Juniper Security Advisory process.”
UPDATE 3: Juniper has updated its response to reports of attacks against some of its products. It says that has " tested and evaluated thousands of systems but has not found any evidence of a compromise." It refers customers to a related notification from 2008 that tells how to protect devices against such attacks.
The exploits were posted as proof that a group called Shadow Brokers actually had in its possession malware that it claimed it hacked from the NSA.
While the exploits date from 2013 at the latest, Cisco says it just learned about one of them when Shadow Brokers made it public. Cisco already knew about a second one and had patched for it. Fortinet’s lone security advisory is fresh.
Speculation is that Russia is behind releasing the exploits as a political move to blunt U.S. reaction to Russia’s alleged hack of the Democratic National Committee.
Cisco rates the threat level of the newly discovered vulnerability - Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability - as high because it could allow execution of remote code on affected devices and obtain full control. “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” the advisory says.
Here is a list of the affected Cisco devices:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco PIX Firewalls
- Cisco Firewall Services Module (FWSM)
The other vulnerability - Cisco ASA CLI Remote Code Execution Vulnerability – is one Cisco has known about since 2011 when it issued a fix for it. The company has issued a fresh security advisory for it in order to raise awareness so customers will make sure they’ve got software versions that patch the problem.
This vulnerability is ranked medium, and if exploited “could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device,” the advisory says.
Cisco has posted a blog that details its vulnerabilities and fixes.
Fortinet has issued a security advisory for what it calls the Cookie Parser Buffer Overflow Vulnerability, whose importance it rates as high because it allows remote administrative access.
It affects certain Fortigate firmware called FOS released before August 2012. The affected versions are:
- FOS 4.3.8 and below
- FOS 4.2.12 and below
- FOS 4.1.10 and below
“Customers running FortiGate firmware 5.0 and above, released in August 2012 are not impacted,” according to an emailed statement from Fortigate. “We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products. If we identify any new information useful to our customers, we will share it through our responsible disclosure policy.”
This story, "Cisco, Fortinet issue patches against NSA malware" was originally published by Network World.