Cisco, Fortinet issue patches against NSA malware

Versions of Cisco PIX, ASA and Fortinet’s Fortigate firmware are affected

Customers of certain Cisco and Fortinet security gear need to  patch exploits made public this week after a purported hack of NSA malware.

Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.

Other exploits may affect Watchguard and TOPSEC products, but those companies did not immediately respond to inquiries. When they do this story will be updated.

The exploits were posted as proof that a group called Shadow Brokers actually had in its possession malware that it claimed it hacked from the NSA.

While the exploits date from 2013 at the latest, Cisco says it just learned about one of them when Shadow Brokers made it public. Cisco already knew about a second one and had patched for it. Fortinet’s lone security advisory is fresh.

Speculation is that Russia is behind releasing the exploits as a political move to blunt U.S. reaction to Russia’s alleged hack of the Democratic National Committee.


Cisco rates the threat level of the newly discovered vulnerability - Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability - as high because it could allow execution of remote code on affected devices and obtain full control. “The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system,” the advisory says.

Here is a list of the affected Cisco devices:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

The other vulnerability - Cisco ASA CLI Remote Code Execution Vulnerability – is one Cisco has known about since 2011 when it issued a fix for it. The company has issued a fresh security advisory for it in order to raise awareness so customers will make sure they’ve got software versions that patch the problem.

This vulnerability is ranked medium, and if exploited “could allow an authenticated, local attacker to create a denial of service (DoS) condition or potentially execute arbitrary code. An attacker could exploit this vulnerability by invoking certain invalid commands in an affected device,” the advisory says.

Cisco has posted a blog that details its vulnerabilities and fixes.


Fortinet has issued a security advisory for what it calls the Cookie Parser Buffer Overflow Vulnerability, whose importance it rates as high because it allows remote administrative access.

It affects certain Fortigate firmware called FOS released before August 2012. The affected versions are:

  • FOS 4.3.8 and below
  • FOS 4.2.12 and below
  • FOS 4.1.10 and below

“Customers running FortiGate firmware 5.0 and above, released in August 2012 are not impacted,” according to an emailed statement from Fortigate. “We continue to investigate this exploit and are conducting an additional review of all of our Fortinet products. If we identify any new information useful to our customers, we will share it through our responsible disclosure policy.”

Join the CSO newsletter!

Error: Please check your email address.

More about ASACiscoCustomersFortinetIRNSASNMPWatchguard

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts