Petronella Blog Archive

Visit our New Blog

Cisco VPN Vulnerability

Blog Post

Cisco is still dealing with the fallout from the NSA data dump by the hacking group, The Shadow Brokers. In the data released by the hackers, who take their name from the Mass Effect series of video games, researchers have found yet another attack vector. This attack would allow someone to steal the pre-shared key for a VPN from a line of Cisco products and ultimately giving them the ability to access normally encrypted traffic.

Using the codename BENIGNCERTAIN, the hacking tool is used in what researchers are calling a “PixPocket” attack after the older Cisco PIX series of VPN and firewall devices it targets. Typically corporations or government agencies would use Pix to limit access of their network to authorized users.

By sending a packet to a target, the tool forces it to dump part of its memory. Part of what’s included is the VPN’s authentication password. Unlike the other vulnerabilities that have been found that required internal access, this new one shows that the NSA had the ability to steal a VPN password and access the network from an outside IP address.

According to the code, the tool access Pix versions 5.2(9) to 6.3(4), but some researches claim that BENIGNCERTAIN works on version 5.3(5) as well. This means that it may work on versions that aren’t explicitly defined in the code. Additionally, there is some evidence that the tool may also be able to steal more secure private VPN encryption keys.

Cisco quit selling the PIX line in 2009, and when addressing this new flaw stated that there were no new flaws found in current Cisco products. They went on to remind users that using older products carries with it a greater security risk.