On August 15, 2016, Cisco became aware that the "Shadow Brokers," a mysterious group that emerged last weekend, claim to have obtained source code from the National Security Agency ("NSA") that could be used to exploit Cisco's multi-vendor devices. The Shadow Brokers announced intentions to auction off the code in exchange for up to one million Bitcoins.
Affected Cisco Products
The sample of allegedly stolen files released by the Shadow Brokers contains code that is dated 2013 or older and references the following Cisco products:
- Cisco ASA
- Cisco PIX
- Cisco Firewall Services
For more information on the Cisco products and vulnerabilities that could be exploited by this code, see the following security advisories from the Cisco Product Security Incident Response Team (PSIRT):
- Cisco ASA SNMP Remote Code Execution Vulnerability
- Cisco ASA CLI Remote Code Execution Vulnerability
Cisco's security blog contains additional details about the released data.
ACA Aponix Guidance
Popular Cisco ASA devices are at risk. Cisco's release of patches adds legitimacy to the Shadow Group's claim of leaked or hacked NSA data. The leaked data also includes numerous Cisco vulnerabilities that reference vulnerabilities that were corrected in 2011. These factors together indicate that these exploits have been available and used undetected for the past 5 years by governments and potentially by the individuals who obtained this information from the NSA.
We urge clients to apply patches to impacted Cisco devices as soon as possible.
If you have any questions, please contact your ACA Aponix consultant or email us at email@example.com.