Equation Group Hack: Cisco ASA and FortiGate Vulnerabilities

By now you must have heard about the Equation group hack, Shadow Brokers, NSA ANT catalog and an entire gamut of information. Here I will update on what we have confirmed and how it affects your patching effort.

We were able to confirm the Cisco ASA (Advance Security Appliance) SNMP remote code execution issue. This is a buffer overflow issue that affects all versions of SNMP. An attacker can exploit this issue by sending specially crafted SNMP packets. Once that is done Cisco ASA will allows users to login with any random username/password string. The attacker must know the community string to launch the exploit and a detailed analysis of this vulnerability can be found in our ThreatPROTECT module. As a workaround administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the snmp-server host command. Qualys has released QID 316025 in VM for customers to detect the presence of vulnerable systems.

We were also able to verify the FortiGate HTTP vulnerability which allows attackers to send a specially crafted HTTP request which can result in remote administrative access for attackers. The attack is based on E-tags in the HTTP request and the behavior of the firewall is peculiarly interesting.  A detailed technical post for FortiGate can be found in our ThreatPROTECT module. As a workaround you can disable admin access via HTTP and HTTPS and use SSH instead wherever possible. Since patches are now out we highly recommend updating to the latest patch level as soon as possible. Qualys has released QID 43499 in VM for customers to detect the presence of vulnerable systems.