Cisco Updates ASA Software to fix the Equation Group’s EXTRABACON exploit

Pierluigi Paganini August 25, 2016

Cisco has started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.

Security firms and IT giants are analyzing the huge archive leaked by the Shadow Brokers crew after the hack of the NSA-linked Equation Group.

We reported that some of the exploits included in the archive are effective against CISCO, Fortinet, and Juniper network appliance.

For example, the BENIGNCERTAIN tool included in the NSA data dump could be exploited by remote attackers to extract VPN passwords from certain Cisco devices, meanwhile the EXTRABACON was analyzed by the Hungary-based security consultancy SilentSignal to hack into the newer models of Cisco’s Adaptive Security Appliance (ASA).

The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall.

The CVE-2016-6366 flaw affects Cisco’s ASA appliances, both firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls.

CISCO ASA Software 2

The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory  published by CISCO.

“The vulnerability is due to a buffer overflow in the affected code area.  The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”

Cisco promptly analyzed the exploits and released the necessary patches. Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

The remaining versions will be fixed by the IT giant in the upcoming days, anyway, the company provided a detailed description of the workarounds to implement as a temporary solution.

The company will not issue any patch for no longer supported devices, including firewall modules and PIX firewalls.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – EXTRABACON , Equation Group)

you might also like

leave a comment