Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Security Privacy Software News Technology

Cisco Patches 'ExtraBacon' Zero-day Exploit Leaked By NSA Hackers (dailydot.com) 100

Patrick O'Neill quotes a report from The Daily Dot: After a group of hackers stole and published a set of NSA cyberweapons earlier this week, the multibillion dollar tech firm Cisco is now updating its software to counter two potent leaked exploits that attack and take over crucial security software used to protect corporate and government networks. "Cisco immediately conducted a thorough investigation of the files released, and has identified two vulnerabilities affecting Cisco ASA devices that require customer attention," the company said in a statement. "On Aug. 17, 2016, we issued two Security Advisories, which deliver free software updates and workarounds where possible." The report adds: "An unknown group of hackers dubbed the Shadow Brokers posted cyberweapons stolen from the so-called Equation Group, the National Security Agency-linked outfit known as 'the most advanced' group of cyberwarriors in the internet's history. One of the cyberweapons posted was an exploit called ExtraBacon that can be used to attack Cisco Adaptive Security Appliance (ASA) software designed to protect corporate networks and data centers. 'ExtraBacon targets a particular firewall, Cisco ASA, running a particular version (8.x, up to 8.4), and you must have SNMP read access to it,' Khalil Sehnaoui, a Middle East-based cybersecurity specialist and founder of Krypton Security, told the Daily Dot. 'If run successfully, the exploit will enable the attacker to access the firewall without a valid username or password.' ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools."
This discussion has been archived. No new comments can be posted.

Cisco Patches 'ExtraBacon' Zero-day Exploit Leaked By NSA Hackers

Comments Filter:
  • Oh, really? (Score:3, Interesting)

    by Anonymous Coward on Wednesday August 17, 2016 @07:50PM (#52722887)

    ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools.

    Yeah, sure, because Cisco has never co-operated with any of the TLAs in the past.

    • by Anonymous Coward

      ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools.

      Should add that in addition to the NSA it was also probably known by the PLA, FSB, Israel, UK and random criminal hacker gangs. Thanks NSA, thanks for keeping that intelligence flowing.... in both directions.

      • NSA seems to be so blinded by their goal of finding and exploiting weaknesses, that they completely forget or ignore the idea of protecting the citizens of their own nation. I see little difference between NSA and hackers. Both work hard to endanger me and my neighbours.

        imo, NSA is a danger to our national security. At this point, I would vote to throw out the baby with the bathwater.

  • by Anonymous Coward on Wednesday August 17, 2016 @08:00PM (#52722927)

    But I support anything related to bacon

  • Does anyone here really believe this cyber bullshit?
    • by Anonymous Coward on Wednesday August 17, 2016 @08:17PM (#52722999)

      Yes I do believe it. Snowden was no super spy. He was a mid level IT grunt and he took everything including their lunch money. That means that spies with real training and skills, like the FSB, are walking out with arm loads of top secret stuff every day.

      • by sjames ( 1099 )

        It's funny how fast this [photobucket.com] can become this [nocookie.net].

      • Yeah, that's the other patriotic favor Snowden did for us--he demonstrated our security procedures are shite.

        Consider: If the bureaucrats breaking the law willy nilly weren't even able to competently keep the secrets that (theoretically, of course, in real life we know it's not happening) could have landed them all in the Federal pokey for many years, what chance did they have of keeping national security secrets?

    • by TigerPlish ( 174064 ) on Wednesday August 17, 2016 @08:34PM (#52723057)

      Does anyone here really believe this cyber bullshit?

      Yes, yes I do.

      Rationale being: "Government is inept at best and criminal at worst. A happy medium is they being criminally inept. NSA is a Government agency, ergo all the batshit insane ineptness that infects the Government also infects the NSA"

      So yes, I believe the NSA got owned, and now begins the rearranging of deckchairs. A few people will be fired or otherwise disposed of, new techniques and tools will be developed, and life will be back to its nefarious normality again.

      But for now, grab your bacon, popcorn and intoxicant of choice, sit back and watch! This may be the best damn show of our age!

      (or it may be a brilliant piece of mis-direction, which would not make it any less real, just thornier and harder to decipher)

      • This thing of the government being inept, have you seen private bureaucracies at work?
        Big corporate bureaucracies are as inept most of the time as state bureaucracies. The moment you have an organization with more than 100 people and company policies or laws start to encroach and accumulate to prevent abuses or set preferred policies then as time goes by you'll see a mismatch between desired outcomes and real outcomes.

        Now, the problem is that at this point incremental improvements in productivity, techno
        • by tnk1 ( 899206 )

          Yes, my problem with big government is the same as my problem with big business organizations. They're effectively equivalent.

          Although I think Big Government is a bit more nefarious because it presents itself as being on the side of the People, and there are whole parties in the USA like the Democratic Party, who buy into how Big Government can solve all problems. The reality is that the advantage of elections over shareholders just redirects the inefficiency, but not even as much as you might think.

          We've

        • To take this one step further, everyone is inept: you, your friends, the company you work for (even if it's Google), Volkswagen, every other company, NASA (remember Mars Climate Orbiter, Challenger and Columbia), the USG, the Soviet government (obviously!), the Russian government, and every other government. We all have our limitations, and to the extent we have a blind spot for those limits, we are inept.

          Excep me.

        • This thing of the government being inept, have you seen private bureaucracies at work?

          After working for a decade and a half in the private sector, yes, I have seen private red tape and wonder just how exactly money is made, given the overall disjointedness of it all.

          PFM, I suppose.

    • by Anonymous Coward

      No. Would not surpise me at all if the NSA was the one's that leaked these security tools. They were circa 2013, which in the cyber security /zero day exploit/ world is like 2 decades old. They have moved on to different strategies.

      If the NSA knew that our adversaries already had these discorvered these exploits, what better way to alert the various impacted software/device manufacturers, than a high profile ransom leak. They patch them and the NSA never really admits they exploited them in the first pl

    • Yes, I believe it. Why would it be so unbelievable, because all of the hardware and software that any organization, including the NSA, runs is so bulletproof? There are bugs in nearly every internet-facing device or application, and sometimes those bugs allow access to people that shouldn't have it.

      The real interesting thing about this is that this leak may cause all or most of the affected vendors to patch the bugs that the NSA has been exploiting.

  • by Anonymous Coward

    I understand the NSA's desire to utilize zero-day vulnerabilities, but by doing so, they ultimately weaken national security.

    • by Anonymous Coward

      This is why the government should absolutely never get backdoors into smartphones, or any other device. Every backdoor they force a company to put in is just one more secret that will get stolen and one more vulnerability that will get exploited by bad people.

  • Q4 earnings, layoffs (Score:2, Interesting)

    by Anonymous Coward

    Lovely timing with their earnings report. Hope they don't need those 14K/20% of workforce employees now...

    Seriously: Fuck Cisco. I hope their stock value plummets. I'm tired of this fucking fuckery.

    I will take my damn extra bacon though, cause bacon.

  • by TomR teh Pirate ( 1554037 ) on Wednesday August 17, 2016 @08:17PM (#52722997)
    In past posts on Slashdot, the idea that the government should have backdoors into various systems that would allegedly be used only for legitimate criminal investigations. The security experts poo-pooed the idea, saying that all manner of things would go wrong, and this appears to be the day of reckoning. The government of course claims that this would never be a problem.

    Security researchers 1, NSA 0

    Is anybody here really surprised?
    • by AHuxley ( 892839 )
      It all worked so well for the US and UK from the 1920's until the 1990's. Tame telco networks happy to share all the data, the ability to tap into global communications was easy given total access to all phone connections. Collect it all was cheap and the budgets just flowed in every year for new partnerships with the private sectors.
      Junk consumer crypto, a lack of hardware and software saw the global product flow to waiting the US intelligence customers.
      In the past decade or so the skill set of any bud
      • Can the wider US intelligence community fully trust raw data gathered by the NSA? Could massive budgets sway back to the CIA, FBI for a more secure approach or a massive expansion of other global signals collection efforts be considered? A shift in decades of post Vietnam political patronage..

        Will all past product have to be reevaluated? Will other US agencies suggest they can do better and request their own new collection budgets?

        Find out next week, in another exciting episode of "Real Government Shinagigans"

      • "...For how long has well crafted disinformation over some time been acted on by the US without been noticed..."

        Since the first Iraq war? Earlier?

        • "...For how long has well crafted disinformation over some time been acted on by the US without been noticed..."

          Since the first Iraq war? Earlier?

          I believe George Washington was the first to include "spycraft" into the U.S. government. 8-)

          Of course, we had a different government before that...

    • Comment removed based on user account deletion
  • by Anonymous Coward

    Odds are, they bought zero-days on the dark net, and that those same exploits were sold to other parties.

    Even if this is not the case, the conclusion applies.

    Conclusion: The NSA actively sought zero-day exploits and no doubt used then without notifying the vendors involved, including US companies (this is important).

    So the NSA performed illegal exploits against US companies. It's difficult to argue otherwise. These companies have been hurt financially (Snowden releases), so the NSA has effectively attack

  • So... (Score:5, Interesting)

    by sshir ( 623215 ) on Wednesday August 17, 2016 @08:26PM (#52723031)
    NSA _and_ Russians had access to to all thus firewalled networks for 3 years... Should Cisco and it's customers start lawyering up?
    • by Anonymous Coward

      if you leave your firewalls exposed to snmp read from anything then you should not be anywhere near anything security related.

    • NSA _and_ Russians had access to to all thus firewalled networks for 3 years... Should Cisco and it's customers start lawyering up?

      Are you serious? The entire point of a government is that they can do things that are illegal for everybody else (ostensibly because they are morally indefensible actions) and never face any consequences for their actions. Everything else is just various arrangements of that maxim.

  • by Anonymous Coward

    that the data files are indeed genuine. Cisco may have known about this for years, maybe not, who cares? Fact is, Cisco has confirmed that the exploits relating to them are genuine.

    This convinces me that Linus' rather blase' attitude towards security needs to be readdressed. Linux is the most widely-used Open Source OS for DIY and newcomer switch/router/firewall vendors. Linux can pretty much chown the market, if it can be reliably secured. OpenBSD is the next potential OS, but it's slower and the Book of P

  • by Chris ( 4631445 ) on Wednesday August 17, 2016 @08:28PM (#52723037)

    I can't begin to take people seriously who talk about security if they don't get the basic gist that in order to build a secure system you must release the complete set of corresponding source code. Security is not something you can just bolt on after the fact. You don't get security simply by releasing the code. But without it you can't design a secure system. This is why all Intel and AMD systems are fundamentally flawed. We don't have the complete set of source code to critical secondary processors which have complete access to everything else. And what does the code on these secondary processors do? They include a lot of bloat including remote control functionality. It's not a secret. It's a back door in plane sight. They make it really easy to write off the back door as a feature, but it's clearly not to anybody who has even a remote understanding of the dangers here. You can't disable it. You can't design a system without it. You're simply screwed if the a high legal intelligence agency wants access to your computer and they haven't got some other means of obtaining said monitoring. It's not something that is going to be used lightly- because they it would become apparent. No. They'll utilize other tools for mass-spying. But for those that actually utilize GPG and similar it's a serious security threat.

    • by jwymanm ( 627857 )
      If we ever see large secure open systems it'll be by the time AI has developed them so the source code itself will not be even necessary unless you want to trust human audits of possibly constantly changing code. There's no way also to prove once something ships that the hardware doesn't have some embedded self modifying code forced by gov agencies on the company or random UPS guy delivering your package. I'm not arguing against open systems I am just stating pretty much where there is a will there is a way
    • by WallyL ( 4154209 )

      It's a back door in plane sight.

      So they should be able to see it from a bird's-eye view, right?

  • by sshir ( 623215 ) on Wednesday August 17, 2016 @08:51PM (#52723111)
    Does anybody know what's going on with that auction? Because it seems now that those crazy hackers do have some serious goods on them...
    • Re:Auction? (Score:4, Funny)

      by BoRegardless ( 721219 ) on Wednesday August 17, 2016 @10:02PM (#52723295)

      Is this the "ONLY" bacon exploit those hackers have, or do they keep the juicy bacon hidden from the 'Criscos' of the world.

    • Re:Auction? (Score:4, Insightful)

      by AmiMoJo ( 196126 ) on Thursday August 18, 2016 @03:31AM (#52723979) Homepage Journal

      The auction is just to humiliate the US and the NSA. Looking at the file dates it seems likely this data was extracted back in 2013 and presumably the exploits have been in use since then. For political reasons they have decided to go public now.

      The auction is just to give a bit of cover and extra embarrassment that common criminals in it for the money, rather than another nation state, were able to hack the NSA.

  • First this assumes (for the ASA one at least) you are exposing SNMP on some interface reachable by *badGuys". If you are dumb enough to expose SNMP (even > v2 ) over a raw/public side interface, you are a moron. Typically one would expose SNMP or even SSH for control/monitoring only on your control plane. If bad guys are routing into your control network (why are you allowing this to be a routable network anyways?) you have a bigger problem. Also, you need to know the community string. If you're no
    • SNMP doesn't have to be exposed on a public interface just an internal one, perhaps less secured, that the black hats have already compromised.

  • by breagerey ( 758928 ) on Thursday August 18, 2016 @04:44AM (#52724099)
    The exploit is specific to ASA software versions 8.0 - 8.4
    8.5 was released in March of 2012.
    The current version of ASA software is 9.6
    http://www.cisco.com/c/en/us/t... [cisco.com]

    Why would anybody still be running 8.0 - 8.4 ??
    • by bsDaemon ( 87307 ) on Thursday August 18, 2016 @05:45AM (#52724205)

      Because their network is working, they don't need new features and they either don't have time, care or requirements to check security notes when they are released? "If it isn't broken, don't fix it" can be a powerful drug.

      • "If it isn't broken, don't fix it" can be a powerful drug.

        I am addicted to the "If it ain't broke, fix it till it is" drug, personally...

    • by Anonymous Coward

      Posting anonymous, for obvious reasons. Up until recently, we ran an ASA with version 8.2, because it handled a very important VPN function with high-ranking users. In 8.3 (fuzzy memory, someone back me up?), the syntax for NATs and a bunch of other commands changed drastically, and we didn't have the manpower to change it over to the new syntax, test it, and verify correctness. We finally got SmartNet on it and got Cisco on the phone to help change it over when a new admin pointed out all of the recentl

    • by AmiMoJo ( 196126 )

      It's a taster of what they have, older but still previously unknown (hence the 0-day, it's been known publicly about for zero days) vulnerabilities that they give away for free to illustrate what the winner of the auction will get. Unless the auction is a scam I'd expect it to include exploits for more recent versions.

    • by mjwx ( 966435 )

      Why would anybody still be running 8.0 - 8.4 ??

      The Cisco ASA, especially at the lower end is designed for small to medium businesses. A metric shitload of them will be using them as set and forget devices, only updating them when they have to. If they've never had an serious issue with them, they'd still be running older firmware March 2012 is not that log ago. It would have been installed later than that considering that stock in boxes wont have been updated in March 2012.

      Sure most businesses would have updated, but dont kid yourself that no-one is run

    • Reading the Cisco advisory, this honestly doesn't seem like a huge problem. In addition to needing SNMP connectivity to the ASA (which in any competent installation would be blocked from Internet) you also need the SNMP Community String.

      Here is the advisory: https://tools.cisco.com/securi... [cisco.com]

      Am I missing something?

    • by Cramer ( 69040 )

      Because of the specific device they have (5505 can't run 9.6, for example.) Or because their "certified configuration" requires a specific version.

      Also, as others have mentioned (and will CONTINUE to mention), 8.3+ significantly fucked up the NAT configuration language. I will switch vendors before I use that fucked up shit.

  • ExtraBacon was a zero-day exploit, Cisco confirmed. That means it was unknown to Cisco or its customers, leaving them open to attack by anyone who possessed the right tools."

    No, that's not what it means. It means that they claim that it was unknown to them. Cisco has demonstrated that they cannot be trusted by inserting obviously intentional back doors. Forever after now we can never safely assume that a security vulnerability in a Cisco product was unintentional.

  • by sshir ( 623215 ) on Thursday August 18, 2016 @12:15PM (#52726495)
    Interesting note: There are no frontpage articles about NSA hack among major American news outlets. It is/was on BBC, Guardian, etc. But not on CNN, WSJ, NYtimes...

    Hmmm....

To stay youthful, stay useful.

Working...