By now you have likely heard of a security breach at the NSA that resulted in a data dump of numerous exploits. The attack targeted an elite group called the Equation Group and allowed for 300 MB of data regarding products belonging to Cisco, Fortinet, Juniper, and TopSec. In response, Cisco has released patches for zero-day flaws exposed by the Shadow Brokers’ data dump. The two patches in question are Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability (CVE-2016-6366) and Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability (CVE-2016-6367).
The first vulnerability, relating to SNMP remote code execution, allows “an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” The flaw exists due to buffer overflow and exists on all SNMP versions. This vulnerability can allow an attacker to take total control of a system. As such, Cisco classified the flaw on the “Security Impact Rating” as “High,” giving it a CVSS base score of 8.5.
The second vulnerability mentioned in the Cisco Event Response is based on “a vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) Software.” This flaw allows for both a DoS attack or execution of arbitrary code via invalid commands. This flaw is not as dangerous, because remote access is not allowed when attempting to exploit the ASA. According to Cisco, “an attacker must have local access and be authenticated to exploit this vulnerability.” Any Cisco ASA software prior to 8.4 is said to be at risk for this particular vulnerability. The flaw’s Security Impact Rating has been registered as “medium,” netting a 6.8 CVSS base score.
It is likely that we will hear of more patches being released from all companies exposed by this NSA leak. There is talk in the cybersecurity community now of how to best avoid incidents like this in the future. One of the most thrown-around suggestions is making sure the NSA is more diligent about disclosing vulnerabilities to vendors, rather than hoarding them. As we’ve seen, by hoarding all of this data, the NSA has made vendors’ jobs extremely difficult in regard to defending against cyber attacks.
Oh, NSA, will you ever learn?