Many Cisco Devices Still Vulnerable to NSA-Linked Exploit

Tens of thousands of devices running Cisco’s Adaptive Security Appliance (ASA) software are still vulnerable to attacks leveraging an exploit leaked by a group calling itself Shadow Brokers.

Shadow Brokers has leaked hundreds of megabytes of firewall exploits and implants allegedly stolen from the NSA-linked threat actor known as the Equation Group. The leak included a zero-day vulnerability in Cisco’s ASA software, which had been used for an exploit dubbed Extrabacon.

Cisco started releasing patches for the affected ASA software roughly ten days after the leak came to light. At the time of writing, only a couple of ASA versions remain unpatched. However, researchers at security firm Rapid7 have determined that there are still numerous vulnerable installations.

An Internet scan conducted using the company’s Project Sonar revealed more than 50,000 Cisco ASA devices, roughly half of which were located in the United States. The list of large organizations housing at least ten such devices included a Japanese telecoms provider, technology and healthcare firms in the U.S., government and financial services organizations in the U.K., a Swedish technology services company, a Brazilian telecoms provider, a Canadian university, and various types of global services providers.

Since in many countries it’s illegal to conduct Internet scans involving login attempts, Rapid7 has tried to determine the number of unpatched devices using hping, a command-line TCP/IP packet analyzer. The tool allowed experts to determine how many of the devices had been rebooted – likely due to the installation of the patches – since Cisco started releasing security updates for its ASA software.

Of the total of 50,000 devices, roughly 12,000 could not be analyzed and approximately 15,000 had been rebooted since the ASA patches were released. This indicates that roughly 38 percent of them have likely been patched.

While the exploit found in the Shadow Brokers dump was designed to work against older versions of ASA, Silent Signal researchers demonstrated that it can be easily adapted for newer versions as well.

Rapid7 pointed out that despite Cisco’s initial warning that all versions of the ASA software are vulnerable, many organizations using newer versions may have underestimated the risk until Silent Signal’s disclosure on August 25.

The ASA flaw, related to the Simple Network Management Protocol (SNMP) and tracked as CVE-2016-6366, can be exploited by a remote attacker to cause a device to reload and for arbitrary code execution. However, Cisco and experts have pointed out that the vulnerability is not easy to exploit as the attacker must be authenticated, likely after compromising the targeted organization’s network, and they must know the SNMP community string, a password used to restrict access to SNMP data on a device.