Cisco PIX firewalls can be made to cough up their VPN configurations and RSA private keys, allowing network eavesdroppers to decrypt secure connections.
The NSA's Equation Group exploit code – leaked online this week – includes a tool called BENIGNCERTAIN that crafts and sends a special Internet Key Exchange (IKE) packet to PIX firewalls, forcing vulnerable devices to reply with sensitive secrets. We'll say that again: a working exploit against PIX boxes has been leaked from the NSA and is in the wild.
On Friday, Cisco confirmed that PIX versions 6.x and prior are vulnerable to BENIGNCERTAIN, while version 7.0 and later are not. It's worth noting that Cisco fully discontinued support for its PIX gear in 2013.
So if you're still running the pre-7.0 software on your old firewalls, you're right now completely at risk of having your VPN connections cracked. And if you were using PIX firewalls, the NSA, for one, could have snooped on your encrypted traffic for up to 10 years. The first vulnerable devices went on sale in 2002.
It was nice of the NSA to have told Cisco about these holes. Er, wait.
Sleep tight. ®