A, event summary 2 0 1 6 years 8 on 1 5 December, a named“The Shadow Brokers”the shadow broker-hacking group claims to Own the intrusion of the Equation Group equation organization of hacking an organization's computer system, and successfully steal a lot of confidential information and hacker tools. Subsequently,“The Shadow Brokers”hacker organization the majority of the leak files 6 0% published in the online, which contains directed many network equipment for vulnerabilities using code.
It is understood, in“The Shadow Brokers”hacker organization the leak of the hack Tool, the “EPICBANANA”,“ the EXTRABACON”and“JETPLOW”that three exploit modules for the Cisco products have an impact. Among the affected devices include Cisco ASA series firewall, Cisco PIX firewall, and Cisco firewall Services Module FWSM in.
Cisco in got to know this after the event, they immediately arrange the Cisco product security incident response team PSIRT）solely responsible for this incident in the bug-fix and emergency response work. It is reported that the PSIRT team in the event the affected products were analyzed immediately after publishing an article of the event in response to the report of the ERP, and in this report on the event in the two major security vulnerabilities are briefly described. In addition, the PSIRT team has issued a security Bulletin, and in the security Bulletin announced that“The Shadow Brokers”events in the Cisco product vulnerabilities have already been fixed. At this point,“The Shadow Brokers”the leak of exploit code for the Cisco products will no longer be valid. These two effects serious remote code execution vulnerabilities are as follows: －Cisco ASA SNMP remote code execution vulnerability －Cisco ASA CLI remote code execution vulnerability
Cisco ASA SNMP remote code execution vulnerability is a newly discovered vulnerability, Cisco Talos Threat Intelligence group and the Cisco IPS intrusion prevention system for this vulnerability to generate a digital signature for detecting the vulnerability of: －Snort rule ID; 3:3 9 8 8 5 －Cisco IPS signature ID: 7655-0
Which Cisco ASA CLI remote code execution vulnerability early in the 2 0 1 1 years it has been repaired. Cisco has now released an official security announcement, they hope that through this security Bulletin to inform the user of this vulnerability have already been repaired. Cisco security experts also said that as long as the user is running the latest version of the Cisco software, then they would not be“The Shadow Brokers”events.
“The Shadow Brokers”there has to be 6 0% leakage data is published in the network, and will use the auction form of sale of the remaining 4 0% of the data. In addition, they also said that if“The Shadow Brokers”received one million bitcoin, then they will direct these data are all published on the web. According to a security research expert of analysis, they announced part of the stolen File date can be traced back to the 2 0 1 3 years.
Second, the vulnerability overview According to Cisco's description, The leakage of these hack tools the main advantage of the Cisco product of two security vulnerabilities, one vulnerability is Cisco has long been known, but in addition a bug has never been detected.
This 0 day vulnerability is CVE-2 0 1 6-6 3 6 6 The. Cisco said that the vulnerability is mainly present in the Cisco adaptive security device ASA software SNMP code. The vulnerability would allow an unauthenticated remote attacker to restart the affected product, and in the device system to achieve remote code execution RCE in. A remote code execution vulnerability is a very dangerous security vulnerability, because an attacker could exploit this vulnerability to access to the target device complete control.
In addition to the above the 0 day vulnerability addition, Cisco also found that attempts to exploit Vulnerability CVE-2 0 1 6-6 3 6 7 exploit code. It is understood that the vulnerability is a Cisco product in a very old vulnerability, the company as early as 2 0 1 1 years have been the bug fixes.
This vulnerability exists in the Cisco adaptive security device ASA software command-line interface（CLI）the parser, the vulnerability would allow an unauthenticated, local attacker to conduct a denial of service attack DoS is. In addition, the attacker could also exploit the vulnerability to the affected device on the execution of arbitrary code.
So Cisco has released a security Bulletin and in the Bulletin to remind the world of the user as soon as possible to update the Cisco device firmware version.
Third, vulnerability analysis These files contain the following figure shows the directory and the exploit code: ! In the above picture, there are three directories in the exploit module with Cisco ASA series firewalls, Cisco PIX firewalls, and Cisco firewall services related. The three modules are: EXTRABACON, EPICBANANA,and JETPLOW is.
A, The EXTRABACON EXTRABACON for the Cisco ASA series firewalls, Cisco PIX firewalls, and Cisco Firewall service module SNMP code in a buffer overflow vulnerability. Interested users can access Cisco released the security Bulletin to learn about the affected by this vulnerability a complete list of CVE-2 0 1 6-6 3 6 6 to. The attacker can get through to the affected Cisco product to send a carefully crafted SNMP packet to trigger and exploit this vulnerability.
Here's a picture roughly describes the vulnerability of the use process: ! On EXTRABACON module some of the information: 1. For receiving SNMP packets of the interface must configure and enable SNMP Protocol. In the above illustration the example shown, the SNMP Protocol is only in Cisco ASA firewall management interface is enabled. Subsequently, the attacker must use this network interface to launch the attack, because the other interfaces, either the external interface or the internal interface is unable to trigger this vulnerability. 2. If you want to successfully exploit this vulnerability, an attacker must know the SNMP community string. 3. Only sent directly to the target system's network traffic can be used to trigger this vulnerability. 4. This vulnerability only by IPv4 traffic to trigger. 5. SNMP v1, SNMP v2c, and SNMP v3 are affected by the vulnerability. 6. An attacker can use this vulnerability to the target device to achieve arbitrary code execution, target acquisition system complete control, and even the reload of an affected system.