Cisco warns of another 'Shadow Brokers' leaked zero-day

Network equipment vendor Cisco has discovered another zero-day exploit against its products in the trove of leaked code from the alleged hack of a group linked to the National Security Agency.

Virtual private networking setups using IPsec internet key exchange version 1 on certain Cisco products are affected by a bug that means the code does not sufficiently check for conditions during security negotiations.  

The vulnerability allows attackers who send specially crafted IKEv1 packets to affected devices to retrieve memory contents, which could lead to the disclosure of confidential information, Cisco said.

PIX firewalls versions 6.x and earlier are vulnerable to the flaw, as are the company's IOS operating system XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x.

Cisco PIX has not been supported since 2009, the company noted.

The vulnerability is rated as high. Cisco said the flaw is currently under exploit, recommending users employ intrusion dection and prevention systems to help stop the attacks.

Cisco said it would release software updates to fix the vulnerability, bit didn't specify a time frame.

The vulnerability was made public in a data dump released by hacking collective Shadow Brokers in August. The hackers claimed to have stolen the data from a group linked to the NSA, and put it up for sale for one million Bitcoin. A zero-day for Cisco Adaptive Security appliances was also included in the leak.

Many of the zero-days leaked by the Shadow Brokers have been confirmed to be genuine, forcing security vendors to rush to issue patches for their products.