NSA EXTRABACON exploit still threatens tens of thousands of CISCO ASA boxes

Two security experts from the Rapid 7 firm revealed that tens of thousands of CISCO ASA boxes are still vulnerable to the NSA EXTRABACON exploit.

A few weeks ago the Shadow Brokers hacker group hacked into the arsenal of the NSA-Linked Equation Group leaked online data dumps containing its exploits.

ExtraBacon is one of the exploits included in the NSA arsenal, in August security experts have improved it to hack newer version of CISCO ASA appliance. The Hungary-based security consultancy SilentSignal has focused his analysis on the ExtraBacon exploit revealing that it could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA).

Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).

The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.

“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory  published by CISCO.

“The vulnerability is due to a buffer overflow in the affected code area.  The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”

At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.

Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

Experts estimated that tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit.

The bad news

Unfortunately, two security experts from the Rapid 7 firm, Derek Abdine and Bob Rudis, revealed that tens of thousands of ASA appliance are still vulnerable to the EXTRABACON attack judging by the time of the last reboot.

The security duo scanned roughly 50,000 ASA devices that were identified in a previous reconnaissance and analysed the last time reboot times.

Some 10,000 of the 38,000 ASA boxes had rebooted within the 15 days since Cisco released its patch, an information that confirms that roughly 28,000 devices are still vulnerable because they were not patched. The remaining 12,000 devices did not provide the information of the last reboot.

Going deep into the analysis, the researchers discovered that unpatched devices belong to four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.

What does it means?

It means that the above organizations are using vulnerable CISCO ASA Boxes if the following condition are matched:

• the ASA device must have SNMP enabled and an attacker must have the ability to reach the device via UDP SNMP (yes, SNMP can run over TCP though it’s rare to see it working that way) and know the SNMP community string
• an attacker must also have telnet or SSH access to the devices

Of course, the exploiting of ExtraBacon is not so simple, anyway, it is possible when dealing with persistent attackers.

“This generally makes the EXTRABACON attack something that would occur within an organization’s network, specifically from a network segment that has SNMP and telnet/SSH access to a vulnerable device. So, the world is not ending, the internet is not broken and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit.” wrote Abdine and Rudis.

“Even though there’s a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments.” 

“Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it.”

The security duo is warning the above organisations which could not underestimate the risk of exposure to EXTRABACON attacks.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CISCO ASA, ExtraBacon exploit)