Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Cisco Updates ASA Software to Address NSA-Linked Exploit

Cisco has started releasing updates for its Adaptive Security Appliance (ASA) software to address a remote code execution vulnerability leveraged by a recently leaked zero-day exploit.

Cisco has started releasing updates for its Adaptive Security Appliance (ASA) software to address a remote code execution vulnerability leveraged by a recently leaked zero-day exploit.

A group calling itself Shadow Brokers published hundreds of megabytes of exploits, implants and tools allegedly stolen from the Equation Group, a threat actor linked to the U.S. National Security Agency (NSA). The leaked exploits target firewalls from Cisco, Juniper Networks, WatchGuard, Fortinet and others, but so far only Cisco discovered a previously unknown vulnerability.

The flaw, identified as CVE-2016-6366, has been used for an exploit called EXTRABACON. While the original version of the exploit only worked against older versions of the Cisco ASA software, researchers have easily managed to adapt it for newer versions as well.

The vulnerability exists in the Simple Network Management Protocol (SNMP) code of the ASA software and it can be exploited by a remote attacker who has access to the targeted system to cause a crash or execute arbitrary code.

Cisco updated its initial advisory on Wednesday to inform customers that it has started releasing patches. The networking giant has advised users of ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 to update their installations to version 9.1.7(9) or later. The issue has been resolved in ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

For the other affected versions, Cisco expects to release fixes in the upcoming days. In the meantime, users can apply the workarounds provided by the company.

Hungary-based security firm Silent Signal reported on Tuesday that it had adapted the original EXTRABACON exploit for ASA 9.2(4) and the company is confident that it can be ported to even newer versions. Silent Signal has released some technical information on the porting process.

CVE-2016-6366 affects Cisco’s ASA appliances, firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls. The firewall modules and PIX firewalls are no longer supported and they will not be patched.

Cisco’s PIX firewalls are also targeted by a different exploit leaked by Shadow Brokers. The exploit, dubbed BENIGNCERTAIN, allows attackers to extract VPN private keys.

It’s still unclear who is behind Shadow Brokers. Some say it’s Russia, while others believe it could be an NSA insider similar to Edward Snowden.

Related: Snowden Documents Show NSA Leak is Real

Related: Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”

Related: Who Is Behind the Shadow Brokers Leak?

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).