Firewall providers Cisco and Fortinet have both issued security advisories confirming that vulnerabilities exposed by the mysterious Shadow Brokers, who recently claimed to have hacked and stolen cyberweapons from NSA-linked Equation Group and put them up for auction, do exist and affect their products. Both companies have issued fixes addressing the exploits that were recently made public, adding to the mounting evidence that the data exposed in the high-profile leak is legitimate.
Cisco identified two flaws affecting Cisco Adaptive Security Appliances (ASA) devices that are usually used to protect networks and data centres. Both vulnerabilities were remote code execute flaws that essentially allowed a hacker who knows how to carry out an attack to do so from anywhere across the globe.
"Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention," the company said in a statement. "On Aug 17, 2016, we issued two security advisories, which deliver free software updates and workarounds where possible."
One of the vulnerabilities – Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability – was a newly-discovered buffer overflow defect that was referred to in the Equation Group leak as EXTRABACON. Rated as a high-level threat by Cisco, the zero-day exploit allowed a hacker to write and remotely execute malicious code on affected devices and obtain full control of the vulnerable system or reload the system.
The company said the second vulnerability affecting Cisco products was already fixed back in 2011. The medium-severity exploit, referred to in the NSA cache as EPICBANANA, could have potentially allowed an attacker to create a denial of service (DoS) condition or execute arbitrary code.
"We have issued a formal security advisory to increase its visibility with our customers so they can ensure they are running software versions that defend against the exploit Shadow Broker has shared," Cisco security Omar Santos wrote.
Santos noted that a hacker could have exploited this vulnerability by "invoking certain invalid commands in an affected device. The attacker must know the telnet or SSH password in order to successfully exploit an affected device."
Fortinet also issued an advisory warning users of another vulnerability affecting its own firewalls. The company said that its Fortigate firewall, which was released before August 2012, had a high-severity "cookie parser buffer overflow vulnerability."
"This vulnerability, when exploited by a crafted HTTP request, can result in execution code being taken over," the advisory warned. "We are actively working with customers and strongly recommend that all customers running 4.x versions update their systems with the highest priority." The company said it will continue to investigate whether any of its other products are vulnerable as well.
Other firms whose products appear to have been exploited by the Equation Group, including Juniper and Topsec, have not released any advisories yet.
Juniper spokeswoman Leslie Moore told the Washington Post that the company was reviewing the released file.
"If a product vulnerability is identified, we will address the matter and communicate to our customers," Moore said.
Former NSA personnel recently confirmed that the leak of advanced hacking tools does seem to be authentic. Russian cybersecurity firm Kaspersky Lab also found that hundreds of tools from the leak do "share a strong connection" to the malware from the Equation Group.
"Without a doubt, they're the keys to the kingdom," one former Tailored Access Operations employee told the Washington Post. "The stuff you're talking about would undermine the security of a lot of major government and corporate networks both here and abroad."
On 13 August, the anonymous hacking group claimed to have infiltrated the Equation Group's computer systems, saying they have stolen some of its advanced cyberweapons and are auctioning them off. They have provided two files so far – a sample of the stolen data to legitimise their claims and a second encrypted file, the decryption key for which is being auctioned off for a hefty 1m Bitcoin (more than $550m).
Following Shadow Brokers' announcement of the alleged leak, the NSA's website suffered unexplained downtime for almost two days which the agency later blamed on bad weather.
Claiming to have access to the data, WikiLeaks has announced that it will soon publish its own "pristine copy" soon.