Have software-breaking tools used by America’s respected electronic spy department, the National Security Agency, been compromised? Since news broke over the weekend that tools from a company called the Equation Group, allegedly associated with the NSA, were being auctioned on the Internet by someone calling themselves the Shadow Brokers the evidence has been gone over with a fine-toothed comb.
Whatever the source firewall vendors are working overtime to go through the exploit tools to see if their products have been victims. In three cases the answer is yes.
Cisco Systems has confirmed that some of the tools could be used to exploit vulnerabilities in the company’s ASA and legacy Cisco PIX firewalls.
The Cisco ASA SNMP Remote Code Execution vulnerability is a newly-found defect, the company said. Both its Talos threat intelligence service and and Cisco IPS have produced signatures to detect this issue. The Cisco ASA CLI Remote Code Execution Vulnerability was patched 2011.
At the same time WatchGuard and Fortinet issued statements that exploits found in the released tools target vulnerabilities in their code that have already been fixed.
WatchGuard said it found one set of python scripts, named ESCALATEPLOWMAN, appear to target legacy RapidStream appliances, firewalls picked up in a 2002 acquisition. The scripts are used to generate a CLI command which the attacker then copies and runs in the CLI of the target system, the vendor said. The generated CLI command instructs the target system to download and execute a file from a remote location.
WatchGuard said the vulnerability doesn’t affect its current Firebox and XTM appliances, which, while descended from RapidStream, have different filesystem locations so can’t be exploited by that particular tool.
Fortinet issued a brief advisory about a cookie parser buffer overflow vulnerability that affects firmware in FortiGate firewalls with versions below 5.x. Firmware above that is unaffected.
The authenticity of the tools up for auction isn’t in doubt, according to unnamed source who spoke to the Washington Post. “Without a doubt, they’re the keys to the kingdom,” a former member of the NSA’s Tailored Access Operations (TAO) unit, which is responsible for hacking into systems and perhaps installing backdoors into American-made firewalls destined for foreign countries. A second former TAO employee said, “From what I saw, there was no doubt in my mind that it was legitimate.”
The news of the Shadow Brokers claim has sparked two debates: First, has the NSA lost the advantage of having secret tools that it has used to exploit previously unknown holes in commercial security products? Second, should the NSA be quietly telling vendors about those holes so they can be patched?
Today’s Washington Post has an article that notes that whatever the source of the leaked tools, they are now out in the open and can be used by criminal or nation-state actors to attack organizations and governments — at least those vulnerabilities that haven’t already been patched.
The release shows the risk of the U.S. government stockpiling computer vulnerabilities for its own use, Kevin Bankston, director of New America’s Open Technology Institute, was quoted as saying.
The story says U.S. intelligence agencies are supposed to submit any flaws they discover to a group of experts, who decide whether the advantage of keeping the vulnerabilities secret outweighs the public’s cybersecurity.
It also says that because the latest file in the Shadow Brokers alleged NSA arsenal goes back to October 2013, that’s likely around when the hack was committed. In that case someone has had almost two years to use the tools.