Hacker Cat Ninja

 Coding & Security

avatar

View My GitHub Profile

2 April 2018

Cracking Cisco’s Sourcefire licensing system

by Jose Krause

Cisco’s Sourcefire system is the IDS/IPS solution offered by this company after the acquisition of Sourcefire, including its network anomaly detection engine, Snort. This IPS solution is one of the most powerful systems available on the market.

The system is composed mainly by two appliances:

The main problem of Cisco’s Sourcefire system is that the hardware is completely useless without a valid license. After buying a sensor on Ebay or scavenging one from a death project or whatever, a license is still needed to make them to work, and yes, these licenses are not exactly cheap…

The laboratory setup used for the paper uses this setup:

But the bypass techniques exposed in the paper are also applicable to the latest versions of Sourcefire sensors and FSMs – Tested on FSM version 6-.

According to Cisco, neither its ASA nor the new Firepower Threat Defense (FTD) appliances are susceptible to the demonstrated license bypass. However, I am not able to confirm or deny this as I haven’t had the chance to test those systems.

Paper at the end

Disclosure timeline

Affected versions

According to Cisco, these versions are susceptible to apply this cracking techniques.

tags: reversing - cisco - security - golang