National Cybersecurity and
Communications Integration Center


**ANALYSIS REPORT**


**_DISCLAIMER: This report is provided “as is” for informational purposes only. The Department of Homeland_**
_Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS_
_does not endorse any commercial product or service referenced in this advisory or otherwise. This document is_
_distributed as TLP:WHITE: Subject to standard copyright rules, TLP:WHITE information may be distributed_
_[without restriction. For more information on the Traffic Light Protocol, see https://www.us-cert.gov/tlp.](https://www.us-cert.gov/tlp)_

**Reference Number: AR-16-20173** **August 30, 2016**

# The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations 

**Table of Contents**

**The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations .............. 2**

Systems Affected ...................................................................................................................................... 2

Overview ................................................................................................................................................... 2

Description ................................................................................................................................................ 2

Impact ....................................................................................................................................................... 4

Prevention and Mitigations Recommendations ........................................................................................ 4

References ................................................................................................................................................. 9

**Technical Annex 1: Cisco Adaptive Security Appliance (ASA) ............................................................ 10**

Agency Action Items/Reporting Requirements ...................................................................................... 11

**Technical Annex 2: Cisco ROMMON Integrity ..................................................................................... 12**

Agency Action Items/Reporting Requirements ...................................................................................... 12

**Technical Annex 3: Hacking Tools Targeting Firewalls ....................................................................... 14**

Agency Action Items/Reporting Requirements ...................................................................................... 15


-----

## Alert—The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations

**Systems Affected**

Network Infrastructure Devices

**Overview**

The advancing capabilities of organized hacker groups and cyber adversaries create an increasing
global threat to information systems. The rising threat levels place more demands on security
personnel and network administrators to protect information systems. Protecting the network
infrastructure is critical to preserve the confidentiality, integrity, and availability of
communication and services across an enterprise.

To address threats to network infrastructure devices, this Alert provides information on recent
vectors of attack that advanced persistent threat (APT) actors are targeting, along with prevention
and mitigation recommendations.

**Description**

Network infrastructure consists of interconnected devices designed to transport communications
needed for data, applications, services, and multi-media. Routers and firewalls are the focus of
this alert; however, many other devices exist in the network, such as switches, load-balancers,
intrusion detection systems, etc. Perimeter devices, such as firewalls and intrusion detection
systems, have been the traditional technologies used to secure the network, but as threats change,
so must security strategies. Organizations can no longer rely on perimeter devices to protect the
network from cyber intrusions; organizations must also be able to contain the impact/losses
within the internal network and infrastructure.

For several years now, vulnerable network devices have been the attack-vector of choice and one
of the most effective techniques for sophisticated hackers and advanced threat actors. In this
environment, there has never been a greater need to improve network infrastructure security.
Unlike hosts that receive significant administrative security attention and for which security tools
such as anti-malware exist, network devices are often working in the background with little
oversight—until network connectivity is broken or diminished. Malicious cyber actors take
advantage of this fact and often target network devices. Once on the device, they can remain
there undetected for long periods. After an incident, where administrators and security
professionals perform forensic analysis and recover control, a malicious cyber actor with
persistent access on network devices can reattack the recently cleaned hosts. For this reason,
administrators need to ensure proper configuration and control of network devices.


-----

**PROLIFERATION OF THREATS TO INFORMATION SYSTEMS**

**_SYNful Knock_**

In September 2015, an attack known as SYNful Knock was disclosed. SYNful Knock silently
changes a router’s operating system image, thus allowing attackers to gain a foothold on a
victim’s network. The malware can be customized and updated once embedded. When the
modified malicious image is uploaded, it provides a backdoor into the victim’s network. Using a
crafted TCP SYN packet, a communication channel is established between the compromised
device and the malicious command and control (C2) server. The impact of this infection to a
network or device is severe and most likely indicates that there may be additional backdoors or
compromised devices on the network. This foothold gives an attacker the ability to maneuver
and infect other hosts and access sensitive data.

The initial infection vector does not leverage a zero-day vulnerability. Attackers either use the
default credentials to log into the device or obtain weak credentials from other insecure devices
or communications. The implant resides within a modified IOS image and, when loaded,
maintains its persistence in the environment, even after a system reboot. Any further modules
loaded by the attacker will only exist in the router’s volatile memory and will not be available for
use after the device reboots. However, these devices are rarely or never rebooted.

To prevent the size of the image from changing, the malware overwrites several legitimate IOS
functions with its own executable code. The attacker examines the functionality of the router and
determines functions that can be overwritten without causing issues on the router. Thus, the
overwritten functions will vary upon deployment.

The attacker can utilize the secret backdoor password in three different authentication scenarios.
In these scenarios the implant first checks to see if the user input is the backdoor password. If so,
access is granted. Otherwise, the implanted code will forward the credentials for normal
verification of potentially valid credentials. This generally raises the least amount of suspicion.
Cisco has provided an alert on this attack vector. For more information, see the [Cisco SYNful](http://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html)
Knock Security Advisory.

Other attacks against network infrastructure devices have also been reported, including more
complicated persistent malware that silently changes the firmware on the device that is used to
load the operating system so that the malware can inject code into the running operating system.
[For more information, please see Cisco's description of the evolution of attacks on Cisco IOS](http://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices)
devices.

**_Cisco Adaptive Security Appliance (ASA)_**

A Cisco ASA device is a network device that provides firewall and Virtual Private Network
(VPN) functionality. These devices are often deployed at the edge of a network to protect a site’s
network infrastructure, and to give remote users access to protected local resources.


-----

In June 2016, NCCIC received several reports of compromised Cisco ASA devices that were
modified in an unauthorized way. The ASA devices directed users to a location where malicious
actors tried to socially engineer the users into divulging their credentials.

[It is suspected that malicious actors leveraged CVE-2014-3393](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393) to inject malicious code into the
affected devices. The malicious actor would then be able to modify the contents of the Random
Access Memory Filing System (RAMFS) cache file system and inject the malicious code into the
[appliance’s configuration. Refer to the Cisco Security Advisory Multiple Vulnerabilities in Cisco](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa)
ASA Software for more information and for remediation details.

In August 2016, threat actors publicly released a large number of files, including exploitation
tools for both old and newly exposed vulnerabilities. Cisco ASA devices were found to be
vulnerable to the released exploit code. In response, Cisco released an update to address a newly
disclosed Cisco ASA Simple Network Management Protocol (SNMP) remote code execution
[vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6366)
[vulnerability (CVE-2016-6367). Although Cisco provided patches](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6367) to fix this Cisco ASA
command-line interface (CLI) remote code execution vulnerability in 2011, devices that remain
unpatched are still vulnerable to the described attack. Attackers may target vulnerabilities for
months or even years after patches become available.

**Impact**

If the network infrastructure is compromised, malicious hackers or adversaries can gain full
control of the network infrastructure enabling further compromise of other types of devices and
data and allowing traffic to be redirected, changed, or denied. Possibilities of manipulation
include denial-of-service, data theft, or unauthorized changes to the data.

Intruders with infrastructure privilege and access can impede productivity and severely hinder reestablishing network connectivity. Even if other compromised devices are detected, tracking
back to a compromised infrastructure device is often difficult.

Malicious actors with persistent access to network devices can reattack and move laterally after
they have been ejected from previously exploited hosts.

**Prevention and Mitigations Recommendations**

NCCIC encourages users and network administrators to implement the following
recommendations to provide a more secure and efficient network infrastructure:

1. Segregate networks and functions.
2. Limit unnecessary lateral communications.
3. Harden network devices.
4. Secure access to infrastructure devices.
5. Perform Out-of-Band network management.
6. Validate integrity of hardware and software.


-----

**1. Segregate Networks and Functions**

Proper network segmentation is a very effective security mechanism to prevent an intruder from
propagating exploits or laterally moving around an internal network. On a poorly segmented
network, intruders are able to extend their impact to control critical devices or gain access to
sensitive data and intellectual property. Security architects must consider the overall
infrastructure layout, segmentation, and segregation. Segregation separates network segments
based on role and functionality. A securely segregated network can contain malicious
occurrences, reducing the impact from intruders, in the event that they have gained a foothold
somewhere inside the network.

**_Physical Separation of Sensitive Information_**

Local Area Network (LAN) segments are separated by traditional network devices such as
routers. Routers are placed between networks to create boundaries, increase the number of
broadcast domains, and effectively filter users’ broadcast traffic. These boundaries can be used
to contain security breaches by restricting traffic to separate segments and can even shut down
segments of the network during an intrusion, restricting adversary access.

**_Recommendations:_**

- Implement Principles of Least Privilege and need-to-know when designing network

segments.

- Separate sensitive information and security requirements into network segments.

- Apply security recommendations and secure configurations to all network segments and

network layers.

**_Virtual Separation of Sensitive Information_**

As technologies change, new strategies are developed to improve IT efficiencies and network
security controls. Virtual separation is the logical isolation of networks on the same physical
network. The same physical segmentation design principles apply to virtual segmentation but no
additional hardware is required. Existing technologies can be used to prevent an intruder from
breaching other internal network segments.

**_Recommendations:_**

- Use Private Virtual LANs to isolate a user from the rest of the broadcast domains.

- Use Virtual Routing and Forwarding (VRF) technology to segment network traffic over

multiple routing tables simultaneously on a single router.

- Use VPNs to securely extend a host/network by tunneling through public or private

networks.


-----

**2. Limit Unnecessary Lateral Communications**

Allowing unfiltered workstation-to-workstation communications (as well as other peer-to-peer
communications) creates serious vulnerabilities, and can allow a network intruder to easily
spread to multiple systems. An intruder can establish an effective “beach head” within the
network, and then spread to create backdoors into the network to maintain persistence and make
it difficult for defenders to contain and eradicate.

**_Recommendations:_**

- Restrict communications using host-based firewall rules to deny the flow of packets from

other hosts in the network. The firewall rules can be created to filter on a host device, user,
program, or IP address to limit access from services and systems.

- Implement a VLAN Access Control List (VACL), a filter that controls access to/from

VLANs. VACL filters should be created to deny packets the ability to flow to other VLANs.

- Logically segregate the network using physical or virtual separation allowing network

administrators to isolate critical devices onto network segments.

**3. Harden Network Devices**

A fundamental way to enhance network infrastructure security is to safeguard networking
devices with secure configurations. Government agencies, organizations, and vendors supply a
wide range of resources to administrators on how to harden network devices. These resources
include benchmarks and best practices. These recommendations should be implemented in
conjunction with laws, regulations, site security policies, standards, and industry best practices.
These guides provide a baseline security configuration for the enterprise that protects the
integrity of network infrastructure devices. This guidance supplements the network security best
practices supplied by vendors.

**_Recommendations:_**

- Disable unencrypted remote admin protocols used to manage network infrastructure (e.g.,

Telnet, FTP).

- Disable unnecessary services (e.g. discovery protocols, source routing, HTTP, SNMP,

BOOTP).

- Use SNMPv3 (or subsequent version) but do not use SNMP community strings.

- Secure access to the console, auxiliary, and VTY lines.

- Implement robust password policies and use the strongest password encryption available.

- Protect router/switch by controlling access lists for remote administration.

- Restrict physical access to routers/switches.

- Backup configurations and store offline. Use the latest version of the network device

operating system and update with all patches.

- Periodically test security configurations against security requirements.

- Protect configuration files with encryption and/or access controls when sending them

electronically and when they are stored and backed up.


-----

**4. Secure Access to Infrastructure Devices**

Administrative privileges on infrastructure devices allow access to resources that are normally
unavailable to most users and permit the execution of actions that would otherwise be restricted.
When administrator privileges are improperly authorized, granted widely, and/or not closely
audited, intruders can exploit them. These compromised privileges can enable adversaries to
traverse a network, expanding access and potentially allowing full control of the infrastructure
backbone. Unauthorized infrastructure access can be mitigated by properly implementing secure
access policies and procedures.

**_Recommendations:_**

- **Implement Multi-Factor Authentication – Authentication is a process to validate a user’s**

identity. Weak authentication processes are commonly exploited by attackers. Multi-factor
authentication uses at least two identity components to authenticate a user’s identity. Identity
components include something the user knows (e.g., password); an object the user has
possession of (e.g., token); and a trait unique to the specific person (e.g., biometric).

- **Manage Privileged Access – Use an authorization server to store access information for**

network device management. This type of server will enable network administrators to assign
different privilege levels to users based on the principle of least privilege. When a user tries
to execute an unauthorized command, it will be rejected. To increase the strength and
robustness of user authentication, implement a hard token authentication server in addition to
the AAA server, if possible. Multi-factor authentication increases the difficulty for intruders
to steal and reuse credentials to gain access to network devices.

- **Manage Administrative Credentials – Although multi-factor authentication is highly**

recommended and a best practice, systems that cannot meet this requirement can at least
improve their security level by changing default passwords and enforcing complex password
policies. Network accounts must contain complex passwords of at least 14 characters from
multiple character domains including lowercase, uppercase, numbers, and special characters.
Enforce password expiration and reuse policies. If passwords are stored for emergency
access, keep these in a protected off-network location, such as a safe.

**5. Perform Out-of-Band Management**

Out-of-Band (OoB) management uses alternate communication paths to remotely manage
network infrastructure devices. These dedicated paths can vary in configuration to include
anything from virtual tunneling to physical separation. Using OoB access to manage the network
infrastructure will strengthen security by limiting access and separating user traffic from network
management traffic. OoB management provides security monitoring and can implement
corrective actions without allowing the adversary who may have already compromised a portion
of the network to observe these changes.

OoB management can be implemented physically or virtually, or through a hybrid of the two.
Building additional physical network infrastructure is the most secure option for the network
managers, although it can be very expensive to implement and maintain. Virtual implementation
is less costly, but still requires significant configuration changes and administration. In some


-----

situations, such as access to remote locations, virtual encrypted tunnels may be the only viable
option.

**_Recommendations:_**

- Segregate standard network traffic from management traffic.

- Enforce that management traffic on devices only comes from the OoB.

- Apply encryption to all management channels.

- Encrypt all remote access to infrastructure devices such as terminal or dial-in servers.

- Manage all administrative functions from a dedicated host (fully patched) over a secure

channel, preferably on the OoB.

- Harden network management devices by testing patches, turning off unnecessary services on

routers and switches, and enforcing strong password policies. Monitor the network and
review logs Implement access controls that only permit required administrative or
management services (SNMP, NTP SSH, FTP, TFTP).

**6. Validate Integrity of Hardware and Software**

Products purchased through unauthorized channels are often known as “counterfeit,”
“secondary,” or “grey market” devices. There have been numerous reports in the press regarding
grey market hardware and software being introduced into the marketplace. Grey market products
have not been thoroughly tested to meet quality standards and can introduce risks to the network.
Lack of awareness or validation of the legitimacy of hardware and software presents a serious
risk to users’ information and the overall integrity of the network environment. Products
purchased from the secondary market run the risk of having the supply chain breached, which
can result in the introduction of counterfeit, stolen, or second-hand devices. This could affect
network performance and compromise the confidentiality, integrity, or availability of network
assets. Furthermore, breaches in the supply chain provide an opportunity for malicious software
or hardware to be installed on the equipment. In addition, unauthorized or malicious software can
be loaded onto a device after it is in operational use, so integrity checking of software should be
done on a regular basis.

**_Recommendations:_**

- Maintain strict control of the supply chain; purchase only from authorized resellers.

- Require resellers to implement a supply chain integrity check to validate hardware and

software authenticity.

- Inspect the device for signs of tampering.

- Validate serial numbers from multiple sources.

- Download software, updates, patches, and upgrades from validated sources.

- Perform hash verification and compare values against the vendor’s database to detect

unauthorized modification to the firmware.

- Monitor and log devices, verifying network configurations of devices on a regular schedule.

- Train network owners, administrators, and procurement personnel to increase awareness of

grey market devices.


-----

**References**

  - [Cisco SYNful Knock Security](http://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html) Advisory

  - [Cisco Security Advisory Multiple Vulnerabilities in Cisco ASA Software](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa)

  - [Cisco Evolution of Attacks on Cisco IOS Devices](https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices)

  - [Cisco IOS Software Integrity Assurance](https://cisco.com/c/en/us/about/security-center/integrity-assurance.html)

  - [Information Assurance Advisory NO. IAA U/OO/802097-16 “Recommendations to](https://www.iad.gov/iad/library/ia-advisories-alerts/recommendations-to-mitigate-unauthorized-cisco-rommon-access-and-validate-boot-roms.cfm)
[Mitigate Unauthorized Cisco ROMMON Access and Validate Boot ROMs”](https://www.iad.gov/iad/library/ia-advisories-alerts/recommendations-to-mitigate-unauthorized-cisco-rommon-access-and-validate-boot-roms.cfm)

  - Information Assurance Advisory NO. IAA U/OO/802488-16 “Vulnerabilities in Cisco
Adaptive Security Appliances Identified in Open-Source – Version 1”

  - Information Assurance Directorate Network Mitigations Package – Infrastructure

**Contact Information**

Recipients of this report are encouraged to contribute any additional information that they may
have related to this threat. For any questions related to this report, please contact NCCIC at:

**_NCCIC:_**
Phone: +1-888-282-0870
Email: ncciccustomerservice@hq.dhs.gov

**Feedback**

DHS strives to make this report a valuable tool for our partners and welcome feedback on how
this publication could be improved. You can help by answering a few short questions about this
report at the following URL: https://www.us-cert.gov/forms/feedback


-----

## Technical Annex 1: Cisco Adaptive Security Appliance (ASA)

**Overview**

[Cisco identified CVE-2014-3393, Cisco ASA Clientless SSL VPN Portal Customization](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3393)
Integrity Vulnerability, published 08 October 2014, affecting Adaptive Security Appliances.

**Description**

Vulnerability CVE-2014-3393 is a security issue that allows a remote attacker to alter content on
the logon page viewed by VPN users. Successful exploitation may result in a compromise of the
Clientless SSL VPN portal, which may lead to several types of attacks, which are not limited to
cross-site scripting (XSS), stealing of credentials, or redirection of users to malicious web pages

[1].

**Impact**

The impact of this vulnerability is significant due to the risk of credentials being stolen and later
being used by adversaries to legitimately log into agency networks. This also affects two-factor
authentication with the possibility of replay attacks and session hijacking.

Customers running a vulnerable configuration, regardless of the software release, should verify
that the portal customization has not been compromised. While upgrading to a fixed version of
**Cisco ASA Software prevents this vulnerability from being exploited further, it will not**
**modify any customization objects that have already been compromised and are present on**
**the system. If an attacker has already compromised a customization object, the**
**compromised object will stay persistent after the upgrade [1].**

**Solution**

1. Upgrade ASA IOS image to a non-vulnerable version.
2. The Clientless SSL VPN portal is not enabled by default. To confirm if the Clientless
SSL VPN portal is enabled, use the **show running-config webvpn** command and verify
that webvpn is enabled at least on one interface. The following example shows a Cisco
ASA with Clientless SSL VPN portal enabled on the outside interface:

a. ciscoasa# show running-config webvpn
b. webvpn
c. enable outside
3. Agencies can verify that the portal has not been compromised by exporting the
customization objects and manually verifying that the objects do not include malicious
code. Examples of malicious code are unauthorized iframes, scripts, embedded objects,
encoded links, JavaScript, etc.

a. From the command line interface, use the export webvpn customization <object
**name> <destination filename> command.**


-----

b. From the ASDM GUI, navigate to CLIENTLESS SSL VPN ACCESS ->

**PORTAL -> CUSTOMIZATION. Inspect any listed objects.**
4. Agencies are recommended to develop internal policies to periodically review all objects
within the SSL VPN Portal Customization section.

**Agency Action Items/Reporting Requirements**

1. Verify Department and Agencies (D/As) ASA devices are utilizing the patched IOS
version that fixes the vulnerability.
2. Notify NCCIC for discovered ASA devices with compromised objects.

a. Submit an incident report and open a Remedy ticket with NCCIC.
b. Copy compromised object string(s) into a text file. Submit this text file in a
password protected zip file attached to the incident report, including the password
to the zip file.
c. Remove/Delete any compromised objects from the Clientless SSL VPN portal.
3. Report total number of ASA devices that were checked and verified, including Model.
4. No later than 30 days from receipt of this technical annex, complete reporting
requirements to NCCIC through the OMB MAX Connect portal.

**References:**

[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa


-----

## Technical Annex 2: Cisco ROMMON Integrity

**Overview**

New attack methods have been observed targeting networking devices running Cisco
Internetwork Operating System (IOS). There is no CVE ID assigned to this attack method.

**Description**

It has been observed that attackers, after gaining remote administrative or physical access to a
Cisco IOS device, loaded malicious code into the Cisco IOS ROM Monitor (ROMMON). The
ROMMON acts as an IOS boot-loader, so the malicious code will run at device startup and can
affect the IOS image and configuration. No exploit is leveraged in this attack, and the attacker
requires valid administrative credentials or physical access to the system to be successful [1].

**Impact**

The impact of this attack is significant due to the fact that network infrastructure is critical to the
mission of Department and Agencies (D/As). Utilizing a malicious ROMMON provides
**attackers an additional advantage because infection will persist through a reboot [1].**

**Solution**

1. D/As should identify which ROM the device boots from:

a. Use the Cisco IOS command: <show version>
b. If the text “Currently running in ROMMON from Upgrade region” or
_“ROMMON from Upgrade region is selected for next boot” is present in the_
command output, further inspection should be conducted.
c. For devices that contain the above output text, Administrators should make sure
that the ROM monitor upgrade was a scheduled and legitimate action and also do
a hash comparison (md5/SHA512) of a known good ROM image.
2. It is imperative that D/As implement network device hardening strategies to protect their
network infrastructure. D/As should follow NSA Information Assurance Directorate
(IAD) guidance detailed in “Recommendations to Mitigate Unauthorized Cisco
ROMMON Access and Validate Boot ROMs” [A1] and vendor guidance detailed in the
“Cisco Guide to Harden Cisco IOS Devices” [2].
3. For network devices that are End of Life or do not support newer security features,
Agencies are recommended to develop replacement life cycle plans.

**Agency Action Items/Reporting Requirements**

1. Verify D/As Cisco routers ROMMON integrity using guidance in this report and
referenced material.


-----

2. Notify NCCIC for discovered Cisco routers with changed ROM boot options and
suspicion of ROM image integrity compromise.

a. Submit an incident report and open a Remedy ticket with NCCIC.
b. Be prepared to support follow-on actions from NCCIC.
3. Report total number of Cisco routers that were checked and verified, including Model.
4. No later than 14 days from receipt of this technical annex, complete reporting
requirements to NCCIC through the OMB MAX Connect portal.

**References:**

[1. http://tools.cisco.com/security/center/viewAlert.x?alertId=40411](http://tools.cisco.com/security/center/viewAlert.x?alertId=40411)
[2. http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html](http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html)
3. http://www.cisco.com/c/en/us/about/security-center/integrity-assurance.html


-----

## Technical Annex 3: Hacking Tools Targeting Firewalls

**Overview**

In August 2016, threat actors publicly released a large number of files, including exploitation
tools for both old and newly exposed vulnerabilities. The tools appear to target firewalls from
different vendors (Cisco, Fortinet, Juniper, Huawei, WatchGuard, and TOPSEC). Cisco, Fortinet,
and Juniper have released advisories to address this threat.

**Description**

Vulnerable network devices have been the attack-vector of choice and one of the most effective
techniques for sophisticated hackers and advanced threat actors. The released exploitation tools
are targeting firewall devices from different manufacturers.

**Cisco**
Cisco ASA devices were found to be vulnerable to the released exploit code. In response, Cisco
released an update to address a newly disclosed Cisco ASA SNMP remote code execution
[vulnerability (CVE-2016-6366). In addition, one exploit tool targeted a previously patched Cisco](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6366)
[vulnerability (CVE-2016-6367). Although Cisco provided patches to fix this Cisco ASA CLI](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6367)
remote code execution vulnerability in 2011, devices that remain unpatched are still vulnerable.
For additional information, see the Cisco Advisory.

**Fortinet**
In August 2012, Fortinet provided security updates for its FortiGate firmware to address a cookie
parser buffer overflow vulnerability. However, unpatched systems remain vulnerable, and the
[released exploit code targets the vulnerability. For more information, see the Fortinet Advisory.](http://fortiguard.com/advisory/FG-IR-16-023)

**Juniper**
Juniper is investigating exploits targeting NetScreen devices running ScreenOS. However,
[Juniper’s initial analysis does not indicate a ScreenOS vulnerability. See the Juniper Advisory](https://forums.juniper.net/t5/Security-Incident-Response/Shadow-Brokers-Release-of-Hacking-Code/ba-p/296128)
for additional information.

**WatchGuard**
One released exploitation tool targets a command injection vulnerability in RapidStream
appliances. WatchGuard acquired RapidStream in 2002, and stated that the vulnerability was not
[carried over to WatchGuard appliances. For more information, see the WatchGuard article.](https://www.secplicity.org/2016/08/16/nsa-equation-group-exploit-leak-mean/)

**TOPSEC and Huawei**
The released tools target TOPSEC and Huawei firewall devices. However, both vendors have not
made a public acknowledgement or comment on the newly released exploit tools.


-----

**Impact**

The tools are fully functional and may compromise targeted devices. The malicious use of these
tools are significant risks and may affect the confidentiality, integrity, and availability of network
infrastructure critical to the mission of Department and Agencies (D/As).

**Solution**

1. Apply vendor updates/patches to software and firmware, when available.
2. Disable unused/unneeded services (e.g. telnet, cisco-telnet, etc.).
3. Use multi-factor authentication to the greatest extent possible (e.g. PKI-based
authentication to SSH).
4. Restrict access to device management and remote access services to authorized systems
or management subnets. This can be enforced by both local device configurations (e.g.
Cisco IOS access lists) as well as upstream/downstream network and security
infrastructure device ACLs.
5. For SNMP:

a. Restrict SNMP traffic to device management interfaces with access control list to
further limit accessibility.
b. Maximize use of SNMPv3 to gain the benefit of encryption.
c. If network devices do not support SNMPv3, implement a robust “community
string” management policy; while SNMP community strings are not equivalent to
system passwords, similar policies for length, complexity, diversity and rotation
should be employed.
6. Use separate passwords/passphrases for device access and privileged functions (e.g.
Cisco IOS’s “enable” password). Some exploitation tools only establish access at a
certain level.
7. Enable detailed logging of login activity and device configuration, with logs sent to a
separate system for review and archiving.

**Agency Action Items/Reporting Requirements**

1. Verify Department and Agencies (D/As) are utilizing the patched vendor software for
their specific network device.
2. Notify NCCIC for discovered network devices that show indications of compromise.

a. Submit an incident report and open a Remedy ticket with NCCIC.
b. Be prepared to support follow-on actions from NCCIC.
3. Report total number of network devices that were checked and verified, including Vendor
and Model.
4. No later than 7 days from receipt of this technical annex, complete reporting
requirements to NCCIC through the OMB MAX Connect portal.

**References:**

[[1] http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa](http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141008-asa)


-----