The NSA ShadowBrokers exploit leak included a tool known as “BenignCertain” which triggers an information leak which may result in credential and private key disclosure to unauthenticated parties. Cisco IOS routers, PIX and ASA firewalls with VPN IKE IPSec enabled may be affected.
The NSA toolkit's bc-genpkt, bc-id and bc-parser binaries can be used to generate vulnerability triggering packets, send the packet and store the response, and parse the information leak to reveal VPN credentials such as username and password. Alternatively, the Metasploit Framework contains a module to scan for and trigger this vulnerability known as cisco_ike_benigncertain. Example: The device appears to leak RAM contents when the fault is triggered: 0000 00 00 00 00 00 00 00 02 00 00 00 00 00 00 2e e0 0010 00 00 2e e0 12 a1 fb 48 00 00 00 00 00 00 00 00 0020 00 00 09 ec 00 00 09 d0 00 00 00 01 01 00 00 0e 0030 00 00 09 c4 00 00 00 01 00 00 00 01 0b 83 d4 d4 ... [ snip ] ... 0470 0f ff ff ff 0f ff ff ff 00 00 00 00 00 00 00 00 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0490 00 00 00 00 00 00 00 06 A1 44 93 40 00 00 00 00 When conducting subsequent tests, the memory bytes disclosed appear to change which indicates that this is likely vulnerable. Non-Cisco IPSec devices to not dump excessive bytes when responding to the vulnerability trigger (e.g. 10 bytes vs 2500+ bytes for vulnerable devices device). However, it is important to note that the usable exploit only affects Cisco PIX devices. This device may be vulnerable but due to slightly different implementation may be leaking less valuable information to an attacker or requires tweaking using the NSA bc-genpkt tool. Recommendation: Ensure the latest patched IOS firmware is installed. If the firmware is confirmed as vulnerable, the preshared VPN keys should also be changed and private keys on the device should be regenerated. Risk: High. |
Archives
September 2017
Categories
All
|
|
|