Last month, the Shadow Brokers published firewall exploits, implants, and hacking tools allegedly stolen from the NSA’s Equation Group, which was designed to target major vendors including, Cisco, Juniper, and Fortinet.
A hacking exploit, dubbed ExtraBacon, leveraged a zero-day vulnerability (CVE-2016-6366) resided in the Simple Network Management Protocol (SNMP) code of Cisco ASA software that could allow remote attackers to cause a reload of the affected system or execute malicious code.
Cisco analyzed the exploit and noted that it had not identified any new flaws related to this exploit in its current products.
But, further analysis of Benigncertain revealed that the exploit also affects Cisco products running IOS, IOS XE and IOS XR software.
Benigncertain leveraged the vulnerability (CVE-2016-6415) that resides in the IKEv1 packet processing code and affects several Cisco devices running IOS operating system and all Cisco PIX firewalls.
IKE (Internet Key Exchange) is a protocol used for firewalls, to provide virtual private networks (VPNs), and even manage industrial control systems.
A remote, unauthorized attacker could use this vulnerability to retrieve memory contents from traffic and disclose critical information such as RSA private keys and configuration information by sending specially crafted IKEv1 packets to affected devices.
Cisco’s IOS operating system XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, as well as PIX firewalls versions 6.x and earlier, are vulnerable to this flaw, though the company has not supported PIX since 2009.
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
The company said the vulnerability is currently under exploit, advising its customers to employ intrusion detection system (IDS) and intrusion prevention systems (IPS) to help stop the attacks.
Cisco promised to release software updates to patch CVE-2016-6415 but did not specify a time frame.