CERTFR-2016-ALE-005
Vulnerability from certfr_alerte

De multiples vulnérabilités ont été découvertes dans les pare-feux Cisco. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance.

Description

Le samedi 13 août, des attaquants se faisant appeler les Shadow Brokers ont publiquement révélé des outils offensifs, qu'ils affirment provenir d'Equation, un groupe d'élite lié à la NSA.
Parmi ces outils se trouve du code malveillant dont la fonction est d'exploiter des vulnérabilités dans les pare-feux Cisco afin d'en prendre le contrôle.
Dans ses bulletins de sécurité cisco-sa-20160817-asa-snmp et cisco-sa-20160817-asa-cli (cf. Section Documentation), l'équipementier énumère la liste de produits pour lesquels un correctif est disponible.
Le CERT-FR recommande de durcir ses équipements tout en respectant les bonnes pratiques (cf. Section Documentation).
Des règles de détection réseau sont également disponibles, soit de manière payante (Cisco, cf. Section Documentation), soit à titre gratuit (Emerging Threats, cf. Section Documentation).

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation)

None
Impacted products
Vendor Product Description
Cisco N/A Cisco Firewall Services Module (FWSM)
Cisco N/A Cisco ASA Services Module pour Cisco Catalyst 6500 Series Switches et Cisco 7600 Series Routers
Cisco N/A Cisco ASA 1000V Cloud Firewall
Cisco N/A Cisco Adaptive Security Virtual Appliance (ASAv)
Cisco N/A Cisco ASA 5500 Series Adaptive Security Appliances
Cisco N/A Cisco ASA 5500-X Series Next-Generation Firewalls
Cisco N/A Cisco Firepower 4100 Series
Cisco N/A Cisco Firepower 9300 ASA Security Module
Cisco N/A Cisco Industrial Security Appliance 3000
Cisco Firepower Threat Defense Cisco Firepower Threat Defense Software
Cisco N/A Cisco PIX Firewalls
References

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Cisco Firewall Services Module (FWSM)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco ASA Services Module pour Cisco Catalyst 6500 Series Switches et Cisco 7600 Series Routers",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco ASA 1000V Cloud Firewall",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Adaptive Security Virtual Appliance (ASAv)",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco ASA 5500 Series Adaptive Security Appliances",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco ASA 5500-X Series Next-Generation Firewalls",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower 4100 Series",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower 9300 ASA Security Module",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Industrial Security Appliance 3000",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco Firepower Threat Defense Software",
      "product": {
        "name": "Firepower Threat Defense",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    },
    {
      "description": "Cisco PIX Firewalls",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Cisco",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "closed_at": "2016-09-05",
  "content": "## Description\n\nLe samedi 13 ao\u00fbt, des attaquants se faisant appeler les Shadow Brokers\nont publiquement r\u00e9v\u00e9l\u00e9 des outils offensifs, qu\u0027ils affirment provenir\nd\u0027Equation, un groupe d\u0027\u00e9lite li\u00e9 \u00e0 la NSA.  \nParmi ces outils se trouve du code malveillant dont la fonction est\nd\u0027exploiter des vuln\u00e9rabilit\u00e9s dans les pare-feux Cisco afin d\u0027en\nprendre le contr\u00f4le.  \nDans ses bulletins de s\u00e9curit\u00e9 cisco-sa-20160817-asa-snmp et\ncisco-sa-20160817-asa-cli (cf. Section Documentation), l\u0027\u00e9quipementier\n\u00e9num\u00e8re la liste de produits pour lesquels un correctif est\ndisponible.  \nLe CERT-FR recommande de durcir ses \u00e9quipements tout en respectant les\nbonnes pratiques (cf. Section Documentation).  \nDes r\u00e8gles de d\u00e9tection r\u00e9seau sont \u00e9galement disponibles, soit de\nmani\u00e8re payante (Cisco, cf. Section Documentation), soit \u00e0 titre gratuit\n(Emerging Threats, cf. Section Documentation).\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation)\n",
  "cves": [
    {
      "name": "CVE-2016-6366",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-6366"
    },
    {
      "name": "CVE-2016-6367",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-6367"
    }
  ],
  "initial_release_date": "2016-08-18T00:00:00",
  "last_revision_date": "2016-09-05T00:00:00",
  "links": [
    {
      "title": "Avis CERTFR-2016-AVI-295",
      "url": "http://www.cert.ssi.gouv.fr/site/CERTFR-2016-AVI-295"
    },
    {
      "title": "R\u00e8gle de d\u00e9tection r\u00e9seau Emerging Threats 2",
      "url": "http://doc.emergingthreats.net/bin/view/Main/2023071"
    },
    {
      "title": "Guide de durcissement des pare-feux Cisco ASA",
      "url": "http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html"
    },
    {
      "title": "Blog Cisco : Analyse de l\u0027int\u00e9grit\u00e9 d\u0027une image IOS",
      "url": "https://blogs.cisco.com/security/offline-analysis-of-ios-image-integrity"
    },
    {
      "title": "Guide de v\u00e9rification d\u0027int\u00e9grit\u00e9 ASA",
      "url": "http://www.cisco.com/c/en/us/about/security-center/intelligence/asa-integrity-assurance.html"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 cisco-sa-20160817-asa-cli Cisco du 17    ao\u00fbt 2016",
      "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli"
    },
    {
      "title": "Guide de durcissement des \u00e9quipements Cisco",
      "url": "https://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html"
    },
    {
      "title": "Blog Cisco : The Shadow Brokers",
      "url": "http://blogs.cisco.com/security/shadow-brokers"
    },
    {
      "title": "Bulletin de s\u00e9curit\u00e9 cisco-sa-20160817-asa-snmp Cisco du 17    ao\u00fbt 2016",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp"
    },
    {
      "title": "R\u00e8gle de d\u00e9tection r\u00e9seau Emerging Threats 1",
      "url": "http://docs.emergingthreats.net/bin/view/Main/2023070"
    },
    {
      "title": "Annonce de fin de vie des Cisco Firewall Services Modules    (FWSM)",
      "url": "http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/catalyst-6500-series-firewall-services-module/eol_c51-699134.html"
    },
    {
      "title": "Annonce de fin de vie des Cisco PIX Firewalls",
      "url": "http://www.cisco.com/c/en/us/products/security/pix-500-series-security-appliances/eos-eol-notice-listing.html"
    },
    {
      "title": "Change logs des r\u00e8gles Snort soumises \u00e0 abonnement",
      "url": "https://www.snort.org/advisories/talos-rules-2016-08-16"
    }
  ],
  "reference": "CERTFR-2016-ALE-005",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2016-08-18T00:00:00.000000"
    },
    {
      "description": "ajout de produits sur la liste des syst\u00e8mes affect\u00e9s ainsi que les annonces de fin de vie des produits Cisco Firewall Services Module et Cisco PIX Firewalls.",
      "revision_date": "2016-08-23T00:00:00.000000"
    },
    {
      "description": "cl\u00f4ture de l\u0027alerte.",
      "revision_date": "2016-09-05T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles pare-feux Cisco\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les pare-feux Cisco",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 cisco-sa-20160817-asa-snmp Cisco du 17 ao\u00fbt 2016",
      "url": null
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 cisco-sa-20160817-asa-cli Cisco du 17 ao\u00fbt 2016",
      "url": null
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.