Cracking Cisco’s Sourcefire licensing system

Free the Kraken!

Cisco’s Sourcefire system is the IDS/IPS solution offered by this company after the acquisition of Sourcefire, including its network anomaly detection engine, Snort. This IPS solution is one of the more powerful systems available on the market.

The system is composed mainly by two appliances:

  • The sensor –FirePOWER–, is the IPS itself with Snort, the RNA –Real Network Awareness– engine, nmap, the signature database and all the stuff that makes sense on an IPS. This appliance is mainly physical but Cisco offers also a virtual appliance option available on the customer support portal.

  • The manager –FireSIGHT Management center (FSM)–, is the central administration console, one FSM can have attached multiple sensors, and all the configuration is done here, so as policy creation, firewall rules, object setup, rule edition, etc. Once configured or modified some policy the whole config/rule/stuff package is deployed to the paired sensors. This element can be run as a virtual appliance available on the Cisco customer support portal.

The main problem of Cisco’s Sourcefire system is that the hardware is completely useless without a valid license. After buying a sensor on Ebay or scavenging one from a death project or whatever, a license is still needed to make them to work, and yes, these licenses are not exactly cheap…

The laboratory setup used for the paper uses this setup:

  • Virtual FSM on version 5.4.1.9
  • Physical sensor 3D2000 on version 5.4.0.9
  • Physical sensor 3D7110 on version 5.4.0.9

But the bypass techniques exposed in the paper are also applicable to the latest versions of Sourcefire sensors and FSMs – Tested on FSM version 6-.

According to Cisco, neither its ASA nor the new Firepower Threat Defense (FTD) appliances are susceptible to the demonstrated license bypass. However, I am not able to confirm or deny this as I haven’t had the chance to test those systems.

Paper at the end

Disclosure timeline

  • 02/21/2018: Reported to Cisco Talos Team under the address ([email protected]). It is available on www.talosintelligence.com/about
    • No response.
  • 03/07/2018: Sent email reminder.
    • No response.
  • 03/15/2018: Sent email reminder.
    • No response.
  • 03/15/2018: Announced the public disclosure of the paper on Twitter.
  • 03/15/2018: Response from Omar Santos (Cyber security principal engineer at Cisco’s PSIRT).
  • 03/15/2018: Email sent to Cisco’s PSIRT as requested by Omar.
  • 03/16/2018: ACK from Cisco’s PSIRT.
  • 03/16/2018: Received an email from Henry Peltokangas (Product Manager at Cisco working on the Firepower software) apologizing for the non-response, arguing that the [email protected] mailer is no longer monitored and asking for delaying the publication to the end of the month and modify a paragraph on the papers introduction.
  • 03/16/2018: I agreed with the terms and begin to work with Henry on the disclosure process.
  • 03/21/2018: Changed the paragraph by a more exact one as asked by Henry.
  • 03/21/2018: Henry sent me a list of affected devices.
  • 04/02/2018: Full disclosure.

Affected versions

According to Cisco, these versions are susceptible to apply this cracking techniques.

  • Firepower 8120, 8130, 8140
  • Firepower 8250, 8260, 8270, 8290
  • Firepower 8350, 8360, 8370, 8390
  • AMP8050 AMP8150, 8350, 8360, 8370, 8390
  • Firepower 7050
  • Firepower 7010, 7020, 7030
  • Firepower 7110, 7115 7120, 7125 AMP7150