Security Experts:

Cisco Updates ASA Software to Address NSA-Linked Exploit

Cisco has started releasing updates for its Adaptive Security Appliance (ASA) software to address a remote code execution vulnerability leveraged by a recently leaked zero-day exploit.

A group calling itself Shadow Brokers published hundreds of megabytes of exploits, implants and tools allegedly stolen from the Equation Group, a threat actor linked to the U.S. National Security Agency (NSA). The leaked exploits target firewalls from Cisco, Juniper Networks, WatchGuard, Fortinet and others, but so far only Cisco discovered a previously unknown vulnerability.

The flaw, identified as CVE-2016-6366, has been used for an exploit called EXTRABACON. While the original version of the exploit only worked against older versions of the Cisco ASA software, researchers have easily managed to adapt it for newer versions as well.

The vulnerability exists in the Simple Network Management Protocol (SNMP) code of the ASA software and it can be exploited by a remote attacker who has access to the targeted system to cause a crash or execute arbitrary code.

Cisco updated its initial advisory on Wednesday to inform customers that it has started releasing patches. The networking giant has advised users of ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 to update their installations to version 9.1.7(9) or later. The issue has been resolved in ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

For the other affected versions, Cisco expects to release fixes in the upcoming days. In the meantime, users can apply the workarounds provided by the company.

Hungary-based security firm Silent Signal reported on Tuesday that it had adapted the original EXTRABACON exploit for ASA 9.2(4) and the company is confident that it can be ported to even newer versions. Silent Signal has released some technical information on the porting process.

CVE-2016-6366 affects Cisco’s ASA appliances, firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls. The firewall modules and PIX firewalls are no longer supported and they will not be patched.

Cisco’s PIX firewalls are also targeted by a different exploit leaked by Shadow Brokers. The exploit, dubbed BENIGNCERTAIN, allows attackers to extract VPN private keys.

It’s still unclear who is behind Shadow Brokers. Some say it’s Russia, while others believe it could be an NSA insider similar to Edward Snowden.

Related: Snowden Documents Show NSA Leak is Real

Related: Firewall Vendors Analyze Exploits Leaked by "Shadow Brokers"

Related: Who Is Behind the Shadow Brokers Leak?

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.