Leaked code that can overcome popular, pervasive computer network firewalls is live and in the wild.
Cisco (CSCO) and Fortinet (FTNT), firewall makers based in the United States, have warned their customers about recently revealed vulnerabilities in their products. The so-called Shadow Brokers, a pseudonymous hacker or group of hackers, this weekend claimed to have stolen these exploits from a top-tier cyberespionage unit known as the Equation Group, which experts have associated with the United States National Security Agency.
The companies issued advisories and, in some cases, fixes or workarounds, after determining—as several computer security researchers had done before them—that some of the exploits worked. Cisco and Fortinet machines were vulnerable to hacking for at least three years, since the portion of files leaked by the Shadow Brokers dated between 2010 and 2013.
Get Data Sheet, Coins2Day’s technology newsletter.
Cisco, the first to respond, acknowledged that its Adaptive Security Appliances, enterprise-grade networking gear, had holes. The first weakness—a zero-day vulnerability, or previously unknown bug—allowed attackers to remotely execute code on the machines. The exploit was code-named EXTRABACON in the leak.
Cisco published signatures for identifying the attack code, but no patch. Per the advisory: “An attacker could exploit this vulnerability by sending crafted SNMP packets”—or Simple Network Management Protocol data, used for managing devices on a network—”to the affected system,” the company said. “An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.”
One hacker who goes by the alias “XORcat” showed that he was able to disable authentication requirements on a machine using the technique. The exploit “will definitely cause some fatal network heart attacks,” commented Tal Be’ery, a security research manager at Microsoft (MSFT), on Twitter (TWTR).
The second hole—dubbed EPICBANANA in the leak—Cisco had plugged in 2011. The code allowed attackers to crash or run code on its appliances, although they would need access to certain passwords to do so. Despite the attack being five years old, the company issued an advisory “to increase its visibility with our customers,” as Cisco engineer Omar Santos put it in a blog post.
For more on Cisco, watch:
Fortinet also urged its customers to update their devices to defend against an exploit dubbed EGREGIOUSBLUNDER. Specifically, to update their FortiGate firewall firmware to the latest version, 5.0 and above; machines running versions dated earlier than August 2012 are vulnerable to takeover, the company said.
“We are actively working with customers and strongly recommend that all customers running 4.x versions update their systems with the highest priority,” a Fortinet spokesperson wrote in an email to Coins2Day. “We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products.”
Other companies whose products are mentioned in the NSA-linked exploit leak, such as Juniper Networks (BANANAGLEE) and the Chinese firm TopSec (ELIGIBLEBOMBSHELL), have been slower to react.
A Juniper Networks (JNPR) spokesperson told Coins2Day a statement that the company is “currently reviewing all available information as related to the disclosures allegedly from the Equation Group, and will analyze any new information that becomes available. If a product vulnerability is identified, we will address the matter and communicate to our customers through our standard Juniper Security Advisory process.”
TopSec, a Chinese manufacturer whose products also mentioned in the leak, has not responded to multiple requests for comment.
The Shadow Brokers’ dump appears to contain dozens of exploits, and the hackers have said that they have even more unreleased files, although no one has been able to verify the claim. If the exploits were stolen off a server used by the NSA (or filched by an insider), as some believe, then the three-year-old bugs—particularly the Cisco zero-day—raise questions about the government’s process for evaluating when and whether to disclose vulnerabilities to the public.
