Summary

• • On August 15, 2016, Cisco was alerted to information posted online by the alleged Shadow Brokers group, which claimed to possess disclosures from the Equation Group. The posted materials included exploits for firewall products from multiple vendors. The Cisco products mentioned were the PIX and ASA firewalls.
  • On September 16, 2016 Cisco identified an IKEv1 Information Disclosure Vulnerability in Cisco IOS that is related to variations of the exploits published.
  • The Cisco PSIRT has investigated the published information and determined it provides exploits of two Cisco product vulnerabilities in ASA and one vulnerability in Cisco IOS.

Details

• In accordance with the Cisco security vulnerability disclosure policy, Cisco Security Advisories have been published:
  
  (17 August 2016) Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability: This vulnerability is a known defect that was addressed in a Release Note Enclosure in 2011.
  
  (17 August 2016) Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability: This vulnerability is a newly found defect, and TALOS and Cisco IPS have produced signatures to detect this issue:
  

  • Snort Rule ID: 3:39885
  • Cisco IPS Signature ID: 7655-0

  (16 September 2016) IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products: This vulnerability is a newly found defect, and TALOS and Cisco IPS have produced signatures to detect this issue:
  

  • Cisco IPS Signatures 7699-0
  • Snort Rule IDs 40220(1), 40221(1), 40222(1)

  The following table identifies Cisco Security content and Cisco mitigation information that is associated with this release:
  
  

  Cisco Security Advisory	CVE ID	Security Impact Rating	CVSS Base Score	IPS Signature
  cisco-sa-20160817-asa-snmp Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability	CVE-2016-6366	High	8.5	Snort Rule ID 3:39885 Cisco IPS Signature 7655-0
  cisco-sa-20160817-asa-cli Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability	CVE-2016-6367	Medium	6.8	—
  cisco-sa-20160916-ikev1 IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products	 CVE-2016-6415	 High	7.8	Snort Rule IDs 40220(1), 40221(1), 40222(1) Cisco IPS Signatures 7699-0

  
  

  Additional References

  Identifying and Mitigating Exploitation of the IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products
  
  The Shadow Brokers EPICBANANA and EXTRABACON Exploits (Cisco blog)

  ASA Integrity Assurance