5 Things Partners Need To Know About New NSA-Related Vulnerabilities

Danger Ahead

In what might end up being one of the biggest stories of the year, last week a hacking group called the Shadow Brokers revealed part of what it claimed to be a massive database of hacking tools, allegedly tied to the NSA. For partners, the zero-day vulnerabilities revealed are critical, as they publically announced flaws in popular security software from Cisco, Juniper, Fortinet and more. While facts from the information dump are still emerging, here's what partners need to know about what's been revealed so far and what fixes vendors have rolled out to address the issue for clients.

What Actually Happened?

On Saturday, a group calling itself the Shadow Brokers posted in a blog offering to sell what it said were U.S. government hacking tools, asking a price of $1 million bitcoin. The hackers claimed to have taken the zero-day "cyber weapons’ from a group called the Equation Group, which is believed by many to be the NSA. The dump included installation scripts, configurations for command and control servers, and exploits for multiple vendors' routers and firewalls.

Who Is Responsible?

Attribution is often one of the hardest parts in investigating a data breach. In this case, it remains unclear exactly who the Shadow Broker group is that posted the hacking tools dump. The hacking group was unknown before posting the information, but many groups speculate they are Russian due to the broken English and timing of the posting. Another theory is that the group is actually an NSA insider, like Edward Snowden, as that would make it easier to steal the data involved in the dump.

What Technology Is Affected?

Vendors affected by the dump include Cisco, Juniper and Fortinet, as well as Chinese vendors Shaanxi Networkcloud Information Technology and Beijing Topsec Network Security Technology. For Cisco, the technology affected includes some PIX and ASA firewalls. Cisco has confirmed two zero-days in its ASA firewalls. Fortinet's affected technology includes versions of FortiGate 4.x.

What Are The Vendors Saying?

Both Cisco and Fortinet have come out with statements around the Shadow Broker dump. Cisco has had the biggest response, posting a blog post, an event response page, two security advisories confirming two of the vulnerabilities, and step-by-step guides to mitigate issues. Cisco said it "immediately conducted a thorough investigation of the files released.’ Fortinet also posted a security advisory about the "high’ level vulnerability concerning FortiGate 4.x, saying the "investigation is continuing for other Fortinet products.’

What Can Partners Do To Protect Clients?

In its advisory, Fortinet recommended those using FortiGate 4.x upgrade to release 5.x or release 4.3.9 or later, as those versions are not affected by the vulnerability. In its own advisories about the two confirmed vulnerabilities, Cisco provided a workaround for the Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability, but has not yet released a software update to address it. For the Cisco Adaptive Security Appliance CLI Remote Code Execution Vulnerability, Cisco released a software update resolving the issue affecting Cisco ASA software releases prior to 8.4(1).