On 15 August 2016, CERT-UK was made aware of a list of exploits posted online. These exploits are targeted at vulnerabilities in software found in Cisco switches, routers and firewall products, Fortinet’s Fortiguard, Watchguard and TopSec. Whilst Fortninet and Watchgaurd determined the vulnerabilities were patched years ago, of the two Cisco vulnerabilities, one has been confirmed as a zero-day.
Vulnerabilities – Cisco
The two vulnerabilities affecting Cisco firewall products could allow a remote user to execute arbitrary code or force the target system to reload. Exploit code that can be used against multi-vendor devices, including the Cisco ASA and legacy Cisco PIX firewalls has been posted online, identified as:
The Cisco ASA SNMP (Simple Network Management Protocol) Remote Code Execution vulnerability is a newly found defect, and as such no fix is available from the vendor at the time of publication.
The Cisco ASA CLI Remote Code Execution Vulnerability was addressed in a defect fixed in 2011. Cisco have issued a formal Security Advisory so that users can ensure they are running software versions that defend against the exploit.
What could happen if the vulnerabilities were exploited?
The first exploit allows a user with knowledge of the SNMP community string to send specially crafted SNMP packets via IPv4 to the target system. This triggers a buffer overflow and causes it to reload or could allow the execution of arbitrary code. Please refer to the Cisco Security Advisory documenting CVE-2016-6366 for a complete list of affected products.
The SNMP is a legitimate administrative protocol which is regularly used to exchange diagnostic information between network devices and administrators on a network. Versions 1 and some of version 2 use a “community string”, a simple authentication scheme sent in the clear in each SNMP packet. These exploits require a valid “community string” to work on a target device, however this is not considered a robust form of authentication as it is transmitted in the clear across the network.
The second exploit could allow an authenticated user to create a denial of service (DoS) condition or execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device. The attacker must know the telnet or SSH password in order to successfully exploit an affected device. Please refer to the Cisco Security Advisory documenting CVE-2016-6367 for a complete list of affected products.
Fortinet has published an advisory which details the remote code execution exploit which targets a cookie parser buffer overflow that affects Fortigate firmware released before August 2012. The affected firmware versions are lower versions of 4.x firmware release, and a fix has been issued.
A second exploit targets RapidStream appliances. RapidStream was acquired by Watchguard in 2002, however, Watchguard have confirmed that the vulnerabilities were not carried over into Watchguard appliances. An exploit was also published which affects Juniper networks through a Netscreen firewall implant but Juniper are yet to publish an advisory at the time of writing.
Many of the remaining exploits target the TopSec’s firewalls however the company has yet to issue an advisory on this exploit, nor has it issued any advisories in the last year.
SNMP messages which originate from or to an IP address outside trusted boundaries should be blocked by firewalls. Administrators should disable SNMP functionality in devices not using the protocol and us SNMP version 3 where possible. Where organisations are using “community strings” they should ensure that these are long and unique and protect these as you should a password.
Where can I find more information?
Please refer to the Cisco blog for more information here.
The Fortinet vendor advisory is available here.
More information will be published as it becomes available.