[BreachExchange] More than 840, 000 Cisco devices are vulnerable to NSA-related exploit

Inga Goddijn inga at riskbasedsecurity.com
Wed Sep 21 17:49:24 EDT 2016


http://www.pcworld.com/article/3122871/more-than-840000-cisco-devices-are-vulnerable-to-nsa-related-exploit.html

More than 840,000 Cisco networking devices from around the world are
exposed to a vulnerability that's similar to one exploited by a hacking
group believed to be linked to the U.S. National Security Agency.

The vulnerability was announced by Cisco last week and it affects the IOS,
IOS XE, and IOS XR software that powers many of its networking devices. The
flaw allows hackers to remotely extract the contents of a device's memory,
which can lead to the exposure of sensitive information.

The vulnerability stems from how the OS processes IKEv1 (Internet Key
Exchange version 1) requests. This key exchange protocol is used for VPNs
(Virtual Private Networks) and other features that are popular in
enterprise environments.

Cisco discovered the vulnerability internally after analyzing an exploit
for Cisco PIX firewalls that was leaked last month by a hacking outfit
called Shadow Brokers. The exploit was part of a larger set of attack tools
that Shadow Brokers claimed are being used by a cyberespionage group known
in the security industry as the Equation, believed to be linked to the NSA.

Because other hackers could find the same flaw by analyzing the exploit
leaked by Shadow Brokers, Cisco decided to inform its customers about it
through a security advisory
<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1>,
even though the company is still working on developing and releasing
patches.

Many of the affected IOS, IOS XE, and IOS XR releases don't yet have fixed
versions, but Cisco released detection signatures for intrusion prevention
systems that could be used to protect networks from potential attacks.

The Shadowserver Foundation, an organization that tracks cybercrime and
assists with botnet takedowns, has started an internet-wide scan to find
Cisco devices affected by this vulnerability with the goal of reporting
them to their owners.

Its latest scan <https://isakmpscan.shadowserver.org/>, which ran for two
and a half hours on Wednesday, identified devices with 840,681 distinct IP
addresses that responded as vulnerable to the probe.

The U.S. is the country with the largest number of vulnerable devices --
255,606 -- followed by Russia with 42,281, and the United Kingdom with
42,138. Canada, Germany, Japan, Mexico, France, Australia, and China
complete the top 10.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160921/a7b2168c/attachment.html>


More information about the BreachExchange mailing list