Endwall 08/25/2016 (Thu) 18:24:24 No. 394 del
E hacking news
Cisco begins patching of leaked shadowbrokers attack
hursday, August 25, 2016
http://www.ehackingnews.com/2016/08/cisco-begins-patching-of-leaked.html
Enterprise-grade Cisco firewalls began the process of patching a zero-day vulnerability in its Adaptive Security Appliance (ASA) software exposed in the ShadowBrokers data dump. Researchers at Silent Signal in Hungary yesterday tweeted they had ported the EXTRABACON attack to ASA version 9.2(4), which was released a year ago. The firm expanded the attack range of the ExtraBacon Cisco hack hole revealed as part of the Shadow Brokers cache of National Security Agency-linked exploits and tools. The research after the attack confirmed that the Equation Group exploit for version 8.4(4) of the firewall appliance did indeed provide remote unauthenticated access over SSH or telnet. The attack was included in a 300 MB file download made freely available by the ShadowBrokers that also included exploits, implants and other attacks against Juniper, WatchGuard, Topsec and Fortinet firewalls and networking gear. Researchers confirmed that there was a connection between ShadowBrokers dump and Equation Group exploits. The exploit was restricted to versions 8.4 (4) and earlier of ASA boxes and has now been expanded to 9.2 (4). Users on affected versions of 7.2, 8.0 and 8.7 are requested to upgrade soon to 9.1.7 (9) or later. Newer versions that are also implicated—9.1 through 9.6—are expected to be updated in the next two days. “We have started publishing fixes for affected versions, and will continue to publish additional fixes for supported releases as they become available in the coming days,” Cisco’s Omar Santos said on Wednesday (August 24) in an updated advisory. Cisco and Fortinet have confirmed their kit is affected by exploits listed in data cache which included some 300 files circulated online. The vulnerability lies in the SNMP code in ASA that could allow an attacker to crash the affected system or remotely execute arbitrary code. The attacks can eventually be modified to target any version. The affected ASA software, Cisco said, runs in a number of its products including Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 4100 Series, Cisco Firepower 9300 ASA Security Module, Cisco Firepower Threat Defense Software, Cisco Firewall Services Module (FWSM), and Cisco Industrial Security Appliance 3000 Cisco PIX Firewalls. Prior to yesterday’s patches, Cisco had provided its customers with IPS and Snort signatures that detect the vulnerability. The ShadowBrokers data dump happened more than a week ago when the group claimed to have hacked the Equation Group, which is widely believed to be connected to the NSA.