Equation Group exploit box added a new instance

Cisco has released security advisory CISCO-SA-20160916-IKEV1, which confirms the presence of another 0day vulnerability in Cisco products from the Shadow Brokers archive . Vulnerability of the Information Disclosure type has been identified with CVE-2016-6415 ( IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products ) and is present in the Internet Key Exchange version 1 protocol (IKEv1) network packet processing code in Cisco IOS, IOS XE, and IOS XR products. Using the vulnerability, the attacker can remotely access the contents of the memory with confidential information. As in the case of other similar vulnerabilities, the operation of CVE-2016-6415 is possible by sending a specially crafted IKEv1 network packet to the vulnerable device.


Vulnerability (BENIGNCERTAIN) is relevant for devices only when they are configured to use the IKEv1 protocol and can accept security negotiation requests. With its help, attackers can retrieve RSA private encryption keys from the device’s memory.

The following versions of the Cisco IOS XR product are affected by this vulnerability.
')

• Cisco IOS XR 4.3.x
• Cisco IOS XR 5.0.x
• Cisco IOS XR 5.1.x
• Cisco IOS XR 5.2.x

Versions 5.3.x and later are not affected by this vulnerability.

All Cisco IOS XE software versions are vulnerable, including all Cisco products and PIX hardware firewalls.

Separate UDP ports are assigned to IKE, the openness of which indicates its activity: 500, 4500, 848, 4848. In the example below, the device processes IKE packets on ports 500 and 4500 using the IPv4 or IPv6 network protocol.


In the case of a device on Cisco IOS, with the following command you can make sure that IKE can already be included in the device configuration. The presence of the following configuration in the output of the command indicates the activity of IKE: crypto map , tunnel protection ipsec , or crypto gdoi .


Vulnerability is already exploited by attackers in targeted attacks.

Cisco Product Security Incident Response Team (PSIRT) is aware of what customers are running.

Closing the vulnerability update has not yet been released.

Below is a table with detection of ESET AV products for Equation Group exploits.


» Known cyber-grouping Equation Group could be subjected to large-scale hacking
» Published data of the elite cyber-grouping Equation Group were not a joke
Cisco and Fortinet Release Safety Notices after Data Leakage by Equation Group
» Snowden documents confirm the accuracy of Shadow Brokers data