Cisco, Fortinet confirm zero-days in NSA tool leak are legit

Cisco and Fortinet have issued patches for zero-day exploits affecting their products contained in a dump of intrusion and surveillance tools allegedly used by an NSA-affiliated hacking group.

Hackers going by the name "Shadow Brokers" this week leaked 300MB worth of sample code they claim belonged to Equation Group, a hacker collective linked by infosec vendor Kaspersky to the US National Security Agency.

The Shadow Brokers promised to release the remaining half of the intrusion and surveillance tools they claim to have stolen from Equation Group once they received 1 million Bitcoin (A$744.25 million) from an online auction for the "cyber weapons".

While security experts initially questioned the legitimacy and significance of the unprecedented file dump, evidence is slowly emerging as to its authenticity.

Yesterday Kaspersky said it had identified a specific implementation of RC5 and RC6 encryption algorithms within the data dump that was identical to that used in Equation Group malware, and which had never been seen elsewhere.

Today, Cisco and Fortinet confirmed that exploits for their products published by the hackers were legitimate.

Cisco said it had "immediately conducted a thorough investigation of the files released" and identified two flaws affecting its Adaptive Security Appliance devices.

One flaw was patched in 2011, but Cisco confirmed the other vulnerability was a zero-day exploit that could let an unauthenticated attacker access the firewall without credentials and remotely execute code on the device.

Fortinet similarly warned its customers that the cookie parser buffer overflow flaw identified in the Shadow Brokers files was legitimate and affected older versions of its FortiGate firewalls.

The vulnerability could allow attackers to take over a device by sending a specially crafted HTTP request, Fortinet warned. It affects firmware released before August 2012.

Fortinet said it was continuining to investigate whether any of its other products are affected.

The Shadow Brokers said their exploits will also work on Juniper and TopSec firewalls, but neither company has yet commented on the claims.