Fortinet and Cisco have confirmed their security software was affected by the alleged hack on the National Security Agency last week. Both companies said vulnerabilities included in the data dump posted online by the so-called Shadow Brokers affected their products.
Cisco also confirmed that NSA-linked “ExtraBacon” zero-day exploit can be used to attack Cisco Adaptive Security Appliances (ASA) software designed to protect corporate networks and data centers.
“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code,” said Cisco in its security advisory.
The vulnerability is the outcome of a buffer overflow in the affected code area, and affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system, said Cisco.
An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.
Fortinet also affirmed that FortiGate firmware (FOS) released before Aug 2012 has a cookie parser buffer overflow vulnerability. This vulnerability, when exploited by a crafted HTTP request, can result in execution control being taken over.
Affected firmware versions are lower versions of 4.x firmware release, FOS 5.x firmware is not affected, said Fortinet. The investigation is continuing for the other Fortinet products.
Cisco Workarounds
Administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the snmp-server host command.
The SNMP chapter of the Cisco ASA Series General Operations CLI Configuration Guide explains how SNMP is configured in the Cisco ASA.
Cisco plans to release software updates to address this vulnerability.