Leaked NSA cyber weapons were more damaging to Cisco than originally thought

(Praytino / Flickr)


Written by

Though more than a month has past since a mysterious group leaked a toolset of supposedly NSA-linked cyber weapons online, the impacts of the disclosure are still being felt by one of the largest companies affected by those exploits.

On Friday, internet network technology developer Cisco published yet another security advisory concerning a newly discovered software vulnerability.

Researchers at the company were prompted to scan Cisco’s IOS, IOS XE and IOS XR products for shared flaws that were also found to affect older versions of a popular firewall appliance. The aforementioned firewall software flaw — evident in older versions of Cisco PIX — was first publicized by a hacking collective calling themselves the Shadow Brokers on Aug. 15.

Cisco has yet to deploy a patch for the IOS flaw, but already released IPS signatures and Snort rules as part of a risk mitigation effort. The vulnerability affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, while all IOS XE releases and various versions of IOS are impacted.

“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests,” Cisco wrote in its advisory. “An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests.”

Cisco’s IOS product line offers network infrastructure software, which is used in a range of different routers by commercial and enterprise clients.

“Based on the Shadow Brokers disclosure, Cisco started an investigation on other products that could be impacted by a vulnerability similar to BENINGCERTAIN, which the PIX IKE exploit[ed],” Omar Santos, principal engineer part of Cisco’s Product Security Incident Response Team, or PSIRT, told Cyberscoop.

“It is not exactly the same as BENINGCERTAIN, but could lead to the same end results,” he added.

The newly found vulnerabilities hidden in the IOS product line were discovered by an internal security testing team at Cisco, according to Santos.

BENINGCERTAIN works by sending “an Internet Key Exchange, or IKE, packet to the victim machine, causing it to dump some of its memory. The memory dump [could] then be parsed to extract an RSA private key and other sensitive configuration information,” security researcher Mustafa Al-Bassam wrote.

Cybersecurity firm Kaspersky previously linked this BENINGCERTAIN tool to the Equation Group, an elite hacking squad with reported connections to the NSA.