Connect with us

Hi, what are you looking for?


Network Security

Cisco Updates ASA Software to Address NSA-Linked Exploit

Cisco has started releasing updates for its Adaptive Security Appliance (ASA) software to address a remote code execution vulnerability leveraged by a recently leaked zero-day exploit.

Cisco has started releasing updates for its Adaptive Security Appliance (ASA) software to address a remote code execution vulnerability leveraged by a recently leaked zero-day exploit.

A group calling itself Shadow Brokers published hundreds of megabytes of exploits, implants and tools allegedly stolen from the Equation Group, a threat actor linked to the U.S. National Security Agency (NSA). The leaked exploits target firewalls from Cisco, Juniper Networks, WatchGuard, Fortinet and others, but so far only Cisco discovered a previously unknown vulnerability.

The flaw, identified as CVE-2016-6366, has been used for an exploit called EXTRABACON. While the original version of the exploit only worked against older versions of the Cisco ASA software, researchers have easily managed to adapt it for newer versions as well.

The vulnerability exists in the Simple Network Management Protocol (SNMP) code of the ASA software and it can be exploited by a remote attacker who has access to the targeted system to cause a crash or execute arbitrary code.

Cisco updated its initial advisory on Wednesday to inform customers that it has started releasing patches. The networking giant has advised users of ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 to update their installations to version 9.1.7(9) or later. The issue has been resolved in ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).

For the other affected versions, Cisco expects to release fixes in the upcoming days. In the meantime, users can apply the workarounds provided by the company.

Hungary-based security firm Silent Signal reported on Tuesday that it had adapted the original EXTRABACON exploit for ASA 9.2(4) and the company is confident that it can be ported to even newer versions. Silent Signal has released some technical information on the porting process.

CVE-2016-6366 affects Cisco’s ASA appliances, firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls. The firewall modules and PIX firewalls are no longer supported and they will not be patched.

Advertisement. Scroll to continue reading.

Cisco’s PIX firewalls are also targeted by a different exploit leaked by Shadow Brokers. The exploit, dubbed BENIGNCERTAIN, allows attackers to extract VPN private keys.

It’s still unclear who is behind Shadow Brokers. Some say it’s Russia, while others believe it could be an NSA insider similar to Edward Snowden.

Related: Snowden Documents Show NSA Leak is Real

Related: Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”

Related: Who Is Behind the Shadow Brokers Leak?

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet