Customers of certain Cisco and Fortinet security gear need to patch exploits made public this week after a purported hack of NSA malware.
Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.
Other exploits may affect Watchguard and TOPSEC products, but those companies did not immediately respond to inquiries. When they do this story will be updated.
The exploits were posted as proof that a group called Shadow Brokers actually had in its possession malware that it claimed it hacked from the NSA.
While the exploits date from 2013 at the latest, Cisco says it just learned about one of them when Shadow Brokers made it public. Cisco already knew about a second one and had patched for it. Fortinet’s lone security advisory is fresh.
Speculation is that Russia is behind releasing the exploits as a political move to blunt U.S. reaction to Russia’s alleged hack of the Democratic National Committee.
Cisco rates the threat level of the newly discovered vulnerability - Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability - as high because it could allow execution of remote code on affected devices and obtain full control. “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” the advisory says.
Here is a list of the affected Cisco devices:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco PIX Firewalls
- Cisco Firewall Services Module (FWSM)
The other vulnerability - Cisco ASA CLI Remote Code Execution Vulnerability – is one Cisco has known about since 2011 when it issued a fix for it. The company has issued a fresh security advisory for it in order to raise awareness so customers will make sure they’ve got software versions that patch the problem.
This vulnerability is ranked medium, and if exploited “could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device,” the advisory says.
Cisco has posted a blog that details its vulnerabilities and fixes.
Fortinet has issued a security advisory for what it calls the Cookie Parser Buffer Overflow Vulnerability, whose importance it rates as high because it allows remote administrative access.
It affects certain Fortigate firmware called FOS released before August 2012. The affected versions are:
- FOS 4.3.8 and below
- FOS 4.2.12 and below
- FOS 4.1.10 and below
“Customers running FortiGate firmware 5.0 and above, released in August 2012 are not impacted,” according to an emailed statement from Fortigate. “We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products. If we identify any new information useful to our customers, we will share it through our responsible disclosure policy.”