Cisco stated that unauthenticated attackers might bypass TLS inspection filtering tech in a number of merchandise to exfiltrate information from beforehand compromised servers inside prospects’ networks.
In such assaults, the menace actors can exploit a vulnerability within the Server Identify Identification (SNI) request filtering impacting 3000 Sequence Industrial Safety Home equipment (ISAs), Firepower Risk Protection (FTD), and Internet Safety Equipment (WSA) merchandise.
“Utilizing SNIcat or an analogous software, a distant attacker can exfiltrate information in an SSL shopper hey packet as a result of the return server hey packet from a server on the blocked record will not be filtered,” Cisco explained.
“This communication can be utilized to execute a command-and-control assault on a compromised host or carry out further information exfiltration assaults.”
Up to now, the Cisco Product Safety Incident Response Staff (PSIRT) will not be conscious of attackers or malware exploiting this safety flaw within the wild.
Stealthy information exfiltration by abusing TLS
SNIcat (Server Identify Indication Concatenator) is a stealthy exfiltration method discovered by mnemonic Labs safety researchers that bypasses safety perimeter options and TLS inspection units (e.g., internet proxies, next-gen firewalls (NGFW) through TLS Shopper Hey packets.
“Through the use of our exfiltration technique SNIcat, we discovered that we will bypass a safety answer performing TLS inspection, even when the Command & Management (C2) area we use is blocked by frequent popularity and menace prevention options constructed into the safety options themselves,” the reearchers stated.
“Briefly, we discovered that options designed to guard customers, launched them to a brand new vulnerability.”
Apart from Cisco, mnemonic Labs have efficiently examined SNIcat in opposition to merchandise from F5 Networks (F5 BIG-IP working TMOS 14.1.2, with SSL Orchestrator 5.5.8), Palo Alto Networks (Palo Alto NGFW working PAN-OS 9.1.1), and Fortinet (Fortigate NGFW working FortiOS 6.2.3).
The researchers additionally developed a proof of concept tool that helps extract information from beforehand hacked servers through an SNI covert channel, utilizing an agent on the compromised host and a command-and-control server that gathers the exfiltrated information.
“Cisco is investigating its product line to find out which merchandise could also be affected by this vulnerability,” Cisco added.
“Because the investigation progresses, Cisco will replace this advisory with details about affected merchandise.”