Advertisement

Leaked NSA cyber weapons were more damaging to Cisco than originally thought

Though more than a month has past since a mysterious group leaked a toolset​ of supposedly NSA-linked​ cyber weapons online, the impacts of the disclosure are still being felt by one of the largest companies affected by those exploits. On Friday, internet network technology developer Cisco published yet another security advisory​ concerning a newly discovered software vulnerability.

Though more than a month has past since a mysterious group leaked a toolset of supposedly NSA-linked cyber weapons online, the impacts of the disclosure are still being felt by one of the largest companies affected by those exploits. 

On Friday, internet network technology developer Cisco published yet another security advisory concerning a newly discovered software vulnerability. 

Researchers at the company were prompted to scan Cisco’s IOS, IOS XE and IOS XR products for shared flaws that were also found to affect older versions of a popular firewall appliance. The aforementioned firewall software flaw — evident in older versions of Cisco PIX — was first publicized by a hacking collective calling themselves the Shadow Brokers on Aug. 15. 

Cisco has yet to deploy a patch for the IOS flaw, but already released IPS signatures and Snort rules as part of a risk mitigation effort. The vulnerability affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, while all IOS XE releases and various versions of IOS are impacted. 

Advertisement

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests,” Cisco wrote in its advisory. “An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests.”

Cisco’s IOS product line offers network infrastructure software, which is used in a range of different routers by commercial and enterprise clients.

“Based on the Shadow Brokers disclosure, Cisco started an investigation on other products that could be impacted by a vulnerability similar to BENINGCERTAIN, which the PIX IKE exploit[ed],” Omar Santos, principal engineer part of Cisco’s Product Security Incident Response Team, or PSIRT, told FedScoop. 

“It is not exactly the same as BENINGCERTAIN, but could lead to the same end results,” he added. 

The newly found vulnerabilities hidden in the IOS product line were discovered by an internal security testing team at Cisco, according to Santos. 

Advertisement

BENINGCERTAIN works by sending “an Internet Key Exchange, or IKE, packet to the victim machine, causing it to dump some of its memory. The memory dump [could] then be parsed to extract an RSA private key and other sensitive configuration information,” security researcher Mustafa Al-Bassam wrote

Cybersecurity firm Kaspersky previously linked this BENINGCERTAIN tool to the Equation Group, an elite hacking squad with reported connections to the NSA. 

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts