Cisco Systems, Inc. has confirmed that the alleged hacking of a group tied to the National Security Agency (NSA) is real, by issuing a security warning in response to a tool being offered by the hackers that could compromise a number of its products.

The hack, undertaken by a hacker or hackers known as “The Shadow Brokers” of Equation Group, a group long linked to the NSA, saw the theft of advanced hacking tools including installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls offered for sale on the dark web.

Among the files offered by the group was a remote code exploitation tool called EXTRABACON that targeted a vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software that could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.

According to a bug report from Cisco, the vulnerability is due to a buffer overflow in the affected code area that could allow an attacker to send crafted SNMP packets to the affected system.

Once in, the attacker could, in theory, execute arbitrary code and obtain full control of the system, or to cause a reload of the affected system.

Affected products include:

• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500-X Series Next-Generation Firewalls
• Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Cisco ASA 1000V Cloud Firewall
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Cisco Firepower 9300 ASA Security Module
• Cisco PIX Firewalls
• Cisco Firewall Services Module (FWSM)

“On August 15th, 2016, Cisco was alerted to information posted online by the “Shadow Brokers”, which claimed to possess disclosures from the Equation Group,” Cisco Product Security Incident Response Team Principal Engineer Omar Santos explained in a separate blog post. “The files included exploit code that can be used against multi-vendor devices, including the Cisco ASA and legacy Cisco PIX firewalls.”

“The Shadow Brokers’ post was offering to auction off the stolen data in exchange for a payment reaching one million Bitcoins,” he added. “A small sample of the allegedly stolen files were released and are dated around 2013 or older.”

Fix

Cisco advised that administrators should only allow trusted users to have SNMP access and to monitor affected systems using the snmp-server host command before noting that an attacker must know the community strings to successfully launch an attack against an affected device.

Community strings are described as passwords that are applied to an ASA device to restrict both read-only and read-write access to the SNMP data on the device.

“These community strings, as with all passwords, should be carefully chosen to ensure they are not trivial,” Cisco advises. “Community strings should be changed at regular intervals and in accordance with network security policies. For example, the strings should be changed when a network administrator changes roles or leaves the company.”

Cisco added that it is currently working on a permanent fix for supported releases, but did not detail when it would be available.

Image credit: prayitnophotography/Flickr/CC by 2.0