Cisco has started releasing updates for its Adaptive Security Appliance (ASA) software to address a remote code execution vulnerability leveraged by a recently leaked zero-day exploit.
A group calling itself Shadow Brokers published hundreds of megabytes of exploits, implants and tools allegedly stolen from the Equation Group, a threat actor linked to the U.S. National Security Agency (NSA). The leaked exploits target firewalls from Cisco, Juniper Networks, WatchGuard, Fortinet and others, but so far only Cisco discovered a previously unknown vulnerability.
The flaw, identified as CVE-2016-6366, has been used for an exploit called EXTRABACON. While the original version of the exploit only worked against older versions of the Cisco ASA software, researchers have easily managed to adapt it for newer versions as well.
The vulnerability exists in the Simple Network Management Protocol (SNMP) code of the ASA software and it can be exploited by a remote attacker who has access to the targeted system to cause a crash or execute arbitrary code.
Cisco updated its initial advisory on Wednesday to inform customers that it has started releasing patches. The networking giant has advised users of ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 to update their installations to version 9.1.7(9) or later. The issue has been resolved in ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).
For the other affected versions, Cisco expects to release fixes in the upcoming days. In the meantime, users can apply the workarounds provided by the company.
Hungary-based security firm Silent Signal reported on Tuesday that it had adapted the original EXTRABACON exploit for ASA 9.2(4) and the company is confident that it can be ported to even newer versions. Silent Signal has released some technical information on the porting process.
CVE-2016-6366 affects Cisco’s ASA appliances, firewalls and routers, Firepower products, Firewall Services Modules, industrial security appliances, and PIX firewalls. The firewall modules and PIX firewalls are no longer supported and they will not be patched.
Cisco’s PIX firewalls are also targeted by a different exploit leaked by Shadow Brokers. The exploit, dubbed BENIGNCERTAIN, allows attackers to extract VPN private keys.
It’s still unclear who is behind Shadow Brokers. Some say it’s Russia, while others believe it could be an NSA insider similar to Edward Snowden.
Related: Snowden Documents Show NSA Leak is Real
Related: Firewall Vendors Analyze Exploits Leaked by “Shadow Brokers”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking
- Google Fi Data Breach Reportedly Led to SIM Swapping
- Microsoft’s Verified Publisher Status Abused in Email Theft Campaign
- British Retailer JD Sports Discloses Data Breach Affecting 10 Million Customers
- Meta Awards $27,000 Bounty for 2FA Bypass Vulnerability
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
Latest News
- Dutch, European Hospitals ‘Hit by Pro-Russian Hackers’
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing
- Boxx Insurance Raises $14.4 Million in Series B Funding
- Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
- 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
- Cyber Insights 2023: ICS and Operational Technology
