NSA's Cisco PIX exploit leaks
Cisco PIX firewalls can be made to cough up their VPN configurations and RSA private keys, allowing network eavesdroppers to decrypt secure connections. The NSA's Equation Group exploit code – leaked online this week – includes a tool called BENIGNCERTAIN that crafts and sends a special Internet Key Exchange (IKE) packet to …
COMMENTS
-
Saturday 20th August 2016 06:20 GMT Anonymous Coward
On Friday, Cisco confirmed that PIX versions 6.x and prior are vulnerable to BENIGNCERTAIN, while version 7.0 and later are not. It's worth noting that Cisco fully discontinued support for its PIX gear in 2013.
Spooky! ;o)
It was nice of the NSA to have told Cisco about these holes. Er, wait.
Told Cisco about these holes? Or NSA told Cisco exactly where to put these holes?
Not sure "nice" would have been my adjective of choice...
-
Saturday 20th August 2016 13:28 GMT Anonymous Coward
Looking at how many developers work, NSA really don't need to tell where to put holes, just has to look for them, quite easy if it also has access to source code.
I had a quite heated discussion with a developer a few weeks ago because he didn't want to put some checks in the code I explicitly asked for. Because he thought a "normal" application wouldn't need them (note: the application is a service running with elevated privileges, thereby very dangerous if compromised).
Just, you have to protect from "abnormal" situations where an attacker try to subvert normal execution paths. Many developer lacks the "lateral thinking" needed to understand how your code can be bent to do what it is not designed for. And many try to write code with the minimum effort. Bugs like these are often the result.
-
Saturday 20th August 2016 19:35 GMT Alan Brown
" And many try to write code with the minimum effort."
Not only that but the culture extends to expending minimum effort fixing bugs too.
(FWIW: I'm currently banging heads against Huawei on this very issue. Cisco and chums aren't the only ones guilty, it's just that the NSA has access to their source code.)
Experience (with Suse and Redhat, amongst others) runs like this:
You've got this hole. There may be others.
"Fixed."
Tested, You've got this other hole. There may be others.
"Fixed"
Tested, You've got this other hole. There may be others. Have you bothered actually checking this stuff?
"You're a wanker and I won't work with you anymore. We refuse any more bug reports from you"
Some months later media reports the same holes in various bits of software they haven't bothered checking and there's a mad panic to fix it before the script kiddies all pile in.
-
-
-