fabioberti.it - Fotolia
How does BENIGNCERTAIN exploit Cisco PIX firewalls?
The BENIGNCERTAIN exploit affects certain versions of Cisco systems using the IKEv1 protocol. Expert Nick Lewis explains what the protocol does and how the vulnerability works.
A Cisco security advisory warned against a Cisco PIX firewall flaw that is vulnerable to the BENIGNCERTAIN exploit exposed in the Shadow Brokers' data dump. The vulnerability, which is still unpatched, affects all Cisco systems configured to use an early version of the Internet Key Exchange protocol. What is IKEv1, and how do attackers exploit it?
The BENIGNCERTAIN exploit revealed in the Shadow Brokers' data dump of the National Security Agency's (NSA) cyberweapons and zero-day exploits could allow an unauthenticated remote attacker to send an Internet Key Exchange (IKE) packet to a vulnerable Cisco PIX firewall or other Cisco devices, causing them to dump some of their memory. The attacker can then sift through this memory for confidential information, such as the RSA private key and other configuration data. This enables the attacker to gain access to an IPsec VPN.
The BENIGNCERTAIN exploit targets a vulnerability in version 1 of the IKE protocol, which is used by these Cisco products to set up the secure IPsec VPN tunnel. IKE, which was designed to secure VPN communications and remote network access, uses certificates for setting up a shared symmetric encryption to achieve the high bandwidth needed for IPsec VPNs.
IKEv2 was released in 2005, and it contained many improvements over IKEv1.
There are no workarounds for this vulnerability, which exists in certain versions of Cisco IOS, Cisco IOS XE and Cisco IOS XR. Enterprises can protect themselves from the BENIGNCERTAIN exploit by installing Cisco IOS XR Software releases 5.3.x and higher, or by upgrading to a new system that is not vulnerable to the exploit. Cisco PIX 7.0 and higher are not vulnerable to BENIGNCERTAIN.
The Cisco PIX firewalls targeted by BENIGNCERTAIN are at end of life, but appear to still be used in organizations targeted by the NSA. End of life Cisco PIX firewalls should be retired, since they have not been receiving security updates since 2009.
Cisco recommends that users of these products set up an intrusion prevention system or intrusion detection system to locate and stop exploits.