Governance & Risk Management , Next-Generation Technologies & Secure Development
Cisco Finds Zero-Day Vulnerability in CIA Attack Tool Dump
Flaw Affects 318 Cisco Devices, No Patches Yet AvailableCisco has issued a security alert warning that 318 of its devices have a zero-day vulnerability in their firmware that unauthenticated, remote attackers could exploit "to execute arbitrary code and obtain full control of the device or cause a reload of the affected device."
See Also: Webinar | Securing Cloud Architectures: Implementing Zero Standing Privileges
The flaw exists in the Cluster Management Protocol processing code in Cisco IOS and Cisco IOS XE Software that run on its various devices, including switches. Cisco says it can be exploited on any vulnerable device that's configured to accept incoming telnet connections.
Cisco says it discovered the vulnerability "during the analysis of documents related to the Vault 7 disclosure," referring to the trove of alleged CIA hacking tool documents, known as Vault 7, that WikiLeaks leaked on March 7.
Cisco didn't immediately respond to a request for comment about whether it discovered the CMP processing code flaw by reviewing the Vault 7 documents that have been publicly released or whether it had received specific details from WikiLeaks that the organization has not yet made public.
As yet, there's no full fix for the CMP flaw. "There are no workarounds that address this vulnerability," Cisco's alert says.
Thankfully, Cisco says that it "is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory." But if details of the flaw were contained in a CIA hacking-tool dump, any potential victims may also not be aware of any attacks, even after they've been hacked.
Pending a full fix, Cisco recommends that organizations disable telnet and enable SSH on all of their devices running Cisco IOS. "Disabling the telnet protocol as an allowed protocol for incoming connections would eliminate the exploit vector," the company says.
For organizations that can't or won't disable telnet, Cisco says that using implementing infrastructure access control lists "can reduce the attack surface."
"Infrastructure ACLs are used to minimize the risk and effectiveness of direct infrastructure attack by explicitly permitting only authorized traffic to the infrastructure equipment while permitting all other transit traffic," according to an overview from Cisco.
Life After Vault 7
Numerous technology firms, including Apple, began pouring through the Vault 7 documents upon their release. "While our initial analysis indicates that many of the issues leaked were already patched in the latest iOS, we will continue work to rapidly address any identified vulnerabilities," an Apple spokesman told Information Security Media Group on March 8. "We always urge customers to download the latest iOS to make sure they have the most recent security updates."
WikiLeaks has not revealed the source of the Vault 7 information, but it claims that the information it received was already circulating underground and criticized the CIA for losing control of it. "This is a historic act of devastating incompetence to have created such an arsenal and stored it all in one place and not secured it," WikiLeaks founder Julian Assange said in a March 9 video statement. "WikiLeaks discovered the material as a result of it being passed around."
The CIA has so far declined to comment on the authenticity of "purported intelligence documents released by Wikileaks or on the status of any investigation into the source of the documents," as the agency put it in a March 8 statement.
But it criticized such leaks, warning that "such disclosures ... equip our adversaries with tools and information to do us harm."
WikiLeaks Promises Exclusive Access
WikiLeaks says it has withheld Vault 7 information from public release that could be used by others to exploit software or hardware, and it has promised to work directly with vendors to get fixes in place before the bugs get publicly detailed in full.
"We have decided to work with them, to give them some exclusive access to some of the technical details we have, so that fixes can be pushed out," Assange said in his March 9 video statement.
On March 14, WikiLeaks tweeted that it had "contacted Apple, Microsoft, Google, Mozilla & MicroTik [sic] to help protect users against CIA malware."
But it's not clear that all of those organizations have decided to work with WikiLeaks (see 7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks).
"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokeswoman tells ISMG, referring to the company's bug-reporting channel. But she declined to comment further.
MikroTik, however, says that it has not heard from WikiLeaks, although it has released patches based on information contained in the WikiLeaks dump. "We have not received any email from WikiLeaks," a spokesman tells ISMG, but adds that "our latest software releases contain patches ... and we have no information about any other vulnerabilities that can affect our routers."
MikroTek, in a March 8 security alert, says it found a reference to a "ChimayRed" attack that can supposedly "inject malicious tools into RouterOS devices, if the public interface of the RouterOS device has no firewall on port 80." MikroTek says it appears that this exploit wouldn't have worked against any version of is RouterOS firmware issued since July 2015, although the company has also released an update the explicitly blocks the attack. The spokesman says users can download the updates or automatically upgrade from the device itself by clicking "upgrade" in the admin control panel.
Apple and Google didn't immediately respond to requests for comment.
WikiLeaks on March 18 said in a screen-shot statement posted to Twitter that Mozilla had agreed to its conditions and been given information about flaws in its software targeted by Vault 7 tools. Other firms, however, reportedly have yet to open discussions. "Google and some other companies have yet to respond other than to confirm receipt of our initial approach. They have not agreed, disagreed or questioned our industry standard responsible disclosure plan," the WikiLeak statement reads.
Update on CIA #Vault7 "zero day" software vulnerabilities
— WikiLeaks (@wikileaks) March 18, 2017
Ref: https://t.co/h5wzfrReyy pic.twitter.com/WEiyptlRu3
Legal Uncertainty
"Most of these lagging companies have conflicts of interest due to their classified work for U.S. government agencies," WikiLeaks claims.
A report from The Hill news website says that some organizations are studying whether they could be prosecuted for working with any alleged CIA hacking tools WikiLeaks shares.
"Companies and people with clearances have been instructed to treat anything labeled as or suspected to be classified material as still classified," Stewart Baker, a partner at the firm Steptoe and Johnson and former assistant secretary for policy at the Department of Homeland Security, told The Hill. "So viewing WikiLeaks' material at least poses a risk to government contractors."
'Responsible Disclosure' Details Unknown
WikiLeaks didn't immediately respond to a request for the full details of its disclosure plan or what specific conditions it would impose.
But Motherboard reports that WikiLeaks is demanding, at least in part, that organizations commit to fixing the flaws within 90 days. WikiLeaks' choice of language - the ethically laden term "responsible disclosure" instead of the "coordinated disclosure" terminology preferred by many organizations that don't want any details of flaws to be publicly released until they prep a fix according to their own, preferred timeline - would seem to back up that report.
While 90 days isn't necessarily an industry standard, it is a timeline that many security researchers would like to see become standard. Google, for example, sets a 90-day deadline from when it privately alerts a vendor to a flaw in the vendor's software that it's discovered, until it reveals the details of the flaw publicly. One exception, however, is if the flaw is already being actively exploited, in which case vendors only have seven days to release an advisory or else prep and ship a patch, before Google publicly releases full details of the flaw.
It's not clear what might happen to organizations that accept WikiLeaks' "industry standard responsible disclosure plan" but fail to meet any demanded deadlines. In theory, the organization could threaten to publicly detail the flaws 90 days after sharing them, although that would potentially put a great number of users at risk.
March 21: This story has been updated with responses from Microsoft and MicroTik.