SoylentNews is people
SoylentNews
Cisco is releasing patches for an exploit disclosed by an entity calling itself the Shadow Brokers:
Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA.
ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction.
[...] There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported. Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.
There is speculation that the hacks are actually leaks from a "second (third?) Snowden". A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English.
Previously:
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
(Score: 0) by Anonymous Coward on Friday August 26 2016, @09:01PM
That sounds like a really backhanded way of saying you disagree with him.
As in "Its impossible for me to agree any more than 0%."
Frojo is prone to making up conspiracies that don't pass the laugh test. This one doesn't pass either because newer versions of the cisco boxes are (a) not vulnerable but (b) do do crash when poked in the same way. If they were collobrating with the NSA, then why "fix" it but still leave it broken enough to crash the system? Either leave it open or fix it completely and put a new vulnerability in place.
(Score: 3, Interesting) by Hyperturtle on Friday August 26 2016, @10:43PM
I think that Cisco probably was aware of the problem, seeing as how it goes back to products that... well. They bought the PIX platform from another company way back when. The problem in question seems to have turned up shortly after they started releasing their own Cisco stamped code for it.
Frojack and I may disagree on things, but I have to agree that this is too large of a bug to have gone unnoticed.
The fact it merely crashes newer platforms could suggest that they left it in place without doing testing against it when implementing new hardware or software functionality, since they probably haven't had the same QA team testing the NSA tools for the past 15+ years for various reasons. The rank and file would not even know to seek this out since it would be a secret--and the exploit is sort of specific in that a permitted SNMP server has to act as the host to launch the problem in question.
Some future interim version and then production release would have likely fixed the problems you referenced, based on whatever feedback, or perhaps contributed code that got compiled in with little question, but we'll never know for sure.
I just know that it is a good idea to patch the hole now that a fix is available, since anyone can find and download the tools. The attack vector is narrow, but there are plenty of misconfigured firewalls and unsecured administrative workstations to be found.
(Score: 0) by Anonymous Coward on Friday August 26 2016, @11:25PM
I find it hard to reconcile these two statements:
> this is too large of a bug to have gone unnoticed.
> the rank and file would not even know to seek this out since it would be a secret
Also this is a statement that reveals ignorance:
> the exploit is sort of specific in that a permitted SNMP server has to act as the host to launch the problem in question.
There is nothing "specific" to the fact that a whitelisted snmp client must launch the exploit. If they weren't white-listed they couldn't talk to the snmp server at all.
(Score: 2) by Hyperturtle on Saturday August 27 2016, @12:12AM
Ok, well I guess you disagree. I was referring to the snmp-server command necessary required to include the IP address used as a source host. Perhaps you believed I meant something different. I'm going off what's been posted, and how one would actually go about permitting the connection on the firewall itself. I am not sure how a whitelisted connection is not specific, whether its a client or a server. The command is snmp-server, so ok i guess the server is a client to the ASA's data. However you want to phrase it, it doesn't matter. Maybe it says client in the gui or something? I don't know what you're referencing that gave me the power to upset you like that.
As to the bug being too large to go unnoticed, that's my stating it seems to be too big of a bug to not get notices was to lend credence to the conspiracy theory concept. Seems like its sort of a big deal to not have been noticed. Are you suggesting maybe it was too small of a bug to be noticed? Perhaps I misunderstood it to mean that it was a big obvious bug no one knew about at Cisco and yet QA missed it and all of these versions over time somehow never got fixed, either.
Perhaps, QA missed it for whatever reasons that one can generate. Maybe their scripts didn't include a check for this since the snmp server commands seemed to be doing what they claimed to do. Seems that code review at Juniper has had its lapses as well with their VPN issues. I'm not really even sure what you are trying to disagree with. Even if NSA wasn't to blame, they seem to have had enough time to put together some effective tools to exploit over a decade of releases of the same exploit.
If its a bug then that is bad. If it is complicit behaviors that introduced this feature, then that is bad. If they introduced it on purpose with an eye on helping gain valuable marketing material to provide personalized advertising, that's really bad. There's nothing good except they have finally patched it, but I don't actually have the tools in question to validate that. I am going to trust Cisco this time that it's fixed until I hear otherwise.
You seem pretty harsh and have moved on to dismissing me for my ignorance; you're welcome to continue educating me but I don't find this style of lecture as the best means of changing my mind.
In the spirit of cooperation, however, my response has hopefully provided some reconciliation of things for you. I am not sure what you are angry about, but if I am wrong, ok I guess. I still recommend considering to patch firewalls affected by this, and still recommend everyone makes the effort to do so if they have it within their capability and it won't harm their environments. If you're angry at Frojack, ok. If you're angry at me, ok. At least you posted your thoughts.