
IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products - foolrush
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1
======
benevol
No way could anyone else have discovered and used the same vulnerability
during these 14 years. Thanks for making use safe./s

~~~
wepple
I get the point of your comment, but at a minimum if this were indeed NSA
work, at least they could monitor for exploitation of the same bug against
targets they want to defend (which, given their network reach could be both
public and private sector).

Fixing it would've at least prevented exploitation, but there is value in
knowledge of who else has this exploit and who they're trying to attack.

~~~
eganist
Do we even know anything about their defensive operations?

I'm almost glad we don't since defensive capabilities are the kind of thing
you'd rather not disclose to your adversary until you truly need to leverage
them, but at the same time, with all the leaks, it's as if the NSA just runs
offensive operations and reactive analysis/reconnaissance.

~~~
wbl
Yes. IPsec is widely used, and TLS on top of that with formally verified
specialized implementations of IPsec. They also use data diodes, restricting
the syntax of data that flows into and out of networks.

~~~
eganist
I appreciate this, but I should clarify that I'm speaking specifically to
active defense (hence defensive operations) rather than developing,
publishing, and using defensive best practices, which I'd personally consider
more passive than anything else.

------
dogma1138
"The vulnerability is due to insufficient condition checks in the part of the
code that handles IKEv1 security negotiation requests. An attacker could
exploit this vulnerability by sending a crafted IKEv1 packet to an affected
device configured to accept IKEv1 security negotiation requests. A successful
exploit could allow the attacker to retrieve memory contents, which could lead
to the disclosure of confidential information."

So basically heartbleed for Cisco VPN's.

~~~
tptacek
This is a pretty common vulnerability. We found the same bug in nginx not long
before Heartbleed. Cisco in particular has a history with these kinds of bugs
(IIRC FX sort of famously dumped a whole image of a Cisco router in the early
2000s with one).

------
jdright
Reflection of a "responsible" disclosure culture...

------
prdonahue
I reported incredibly strange IKE behavior on PIX 6.x to Cisco in ~2005. They
escalated to TAC, confirmed it was a bug, and eventually "patched" it. Wonder
if it was same codepath?

------
aaronmdjones
> An attacker could exploit this vulnerability by sending a crafted IKEv1
> packet to an affected device configured to accept IKEv1 security negotiation
> requests > There are no workarounds that address this vulnerability.

Call me crazy, but could one not work around this by ... I don't know,
disabling IKEv1?

------
vxxzy
How best, or how would one expect the NSA to behave? Where is the balance
between offense and defense? On one hand, I can see this exploit needing
disclosed to the general public. On the other, I can see this being useful for
offensive purposes.

------
elchief
I guess that's why there's IKE 2...

IKE 1 was seemingly purposely complicated.

------
SEJeff
And this is just one of the disclosed 0day tools. Supposedly, the Shadow
Brokers have quite a bit more that has yet to be released. Should be
interesting in the future as more comes out.

------
United857
Where in the page is the NSA mentioned?

Not saying it's not reasonable for the NSA to have exploited (they probably
did), but unless we have proof, the headline is a bit clickbait-ish.

~~~
eganist
Search for shadow brokers in the disclosure. That's how Cisco's been crediting
them.

~~~
nielsbot
⌘+f

~~~
shawkinaw
As long as we're being pedantic:

⌘F

------
simbalion
Is anyone else bothered by the mis-use of the term "zero-day" in the media?

------
mozumder
Where does it indicate the NSA had anything to do with this?

~~~
crystalmeph
In the "Exploitation and Public Announcments" part of the linked article, it
says that this vulnerability was discovered in the documents leaked/hacked
from the Equation Group, which appears to be a group either within or
extremely close to the NSA, although neither their actual name nor their
existence has been acknowledged by the NSA.

I don't see any reference to this exploit being used 14 years ago though,
although the code being exploited is that old.

------
edelans
looks like a slandering title : how do you know NSA had the knowledge of this
vulnerability ? I know that NSA may be considered "allmighty" considering its
researching power, but this sounds a bit like a fast and easy accusation, and
misleading title... I expected a whole different story (disappointed to see
that ctrl+F "NSA" had no result).

~~~
eganist
Right at the bottom of the disclosure.

> The exploit of this vulnerability was publicly disclosed by the alleged
> Shadow Brokers group for Cisco PIX.

