
The Shadow Brokers EPICBANANAS and EXTRABACON Exploits - hwatson
https://blogs.cisco.com/security/shadow-brokers
======
dogma1138
On thing I find odd is

 _" JETPLOW is a persistent implant of EPICBANANA. Digitally signed Cisco
software is signed using secure asymmetrical (public-key) cryptography in
newer platforms prevents these types of attacks. The purpose of digitally
signed Cisco software is to increase the security posture of Cisco ASA devices
by ensuring that the software running on the system has not been tampered with
and originated from a trusted source as claimed."_

They claim that the implant is digitally signed, then they say that it
shouldn't work because Cisco software is digitally signed also, and it's
verified by the Cisco Secure Boot.

Isn't that a bit contradictory? sure they might have had flaws in their
verification process (we've seen signature verifications that were nothing
more than "is this a signed message" before) but since Cisco verifies the
signature properly (as you haven't been able to binary patch Cisco boot images
for 5+ years) doesn't this implies that the NSA got a hold of the signing keys
used by Cisco or an authorized 3rd party?

~~~
dsp1234
The advisory is saying that JETPLOW is _not_ signed. And thus, in newer
platforms where signing is implemented, it would prevent that type of attack.

------
walrus01
re: EXTRABACON

If you have SNMP listening on a public ipv4/ipv6 interface of a firewall (I
don't care if it's an EOL/EOS PIX or not), you have done something
fundamentally wrong from the start. As a network engineer seeing something
like this in a business customer's equipment would cause me to seriously
reconsider all other decisions/security configurations made by a predecessor
or third party contractor.

~~~
zengid
IT student here. Genuinely curious: could you explain why this is a
fundamental error?

~~~
oogali
A former, pissed-off employee who still remembers all of your routers' IP
addresses and SNMP communities can issue a SNMP request to shut down all
network interfaces and disable your network to the outside world.

A former employee who tells someone else your SNMP communities...

A current employee who in a moment of laziness, inadvertently leaves your SNMP
community in a public pastebin or Github Gist...

So on and so forth.

~~~
nathanlied
I'd further elaborate on your answer with:

Even if you can only monitor things, instead of directly issuing commands,
it's still information you're leaking.

Information leaks are still a class of vulnerability for a reason. It can give
an attacker information on your network topology that he wouldn't usually
have.

The less attack surface exposed, the better. Generally, if something is
exposed to the Internet that has no (good) reason to be, it's a vulnerability.

------
LeafStorm
Is this a standard naming convention for exploits?

~~~
rdtsc
Those are the names of compartments / projects for classified information.

The way compartments work, they are supposed to be isolated not just from
lower level (secret vs top secret) but also among each other. So things would
have instructions like "handle via EPICBANANA channels only". So if you are
not read into EPICBANANA you don't get access to it, even though you might
have TS clearance.

So programs / capabilities are referred by those names. Instead of say "Oh
that Cisco ASA blah model VPN MitM thing we have".

That also means that just because you have TS clearance doesn't mean you get
to pick up and walk away with all the TS information you want ... oh wait,
that did happen already, didn't it... oops.

~~~
justinjlynn
Snowden was a member of a group with what is known as "PRIVAC", or privileged
access, capabilities. To my amateur understanding, this type of access is
granted to systems administrators or other users of information systems who
may see things they aren't otherwise cleared to see in the course of their
normal duties. Additionally, it was reported, though denied by Snowden, that
Snowden used other colleagues' credentials to access information for
collection and later disclosure.

------
xroche
It it yet another ASN.1-related exploit ?

