Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Many Cisco Devices Still Vulnerable to NSA-Linked Exploit

Tens of thousands of devices running Cisco’s Adaptive Security Appliance (ASA) software are still vulnerable to attacks leveraging an exploit leaked by a group calling itself Shadow Brokers.

Tens of thousands of devices running Cisco’s Adaptive Security Appliance (ASA) software are still vulnerable to attacks leveraging an exploit leaked by a group calling itself Shadow Brokers.

Shadow Brokers has leaked hundreds of megabytes of firewall exploits and implants allegedly stolen from the NSA-linked threat actor known as the Equation Group. The leak included a zero-day vulnerability in Cisco’s ASA software, which had been used for an exploit dubbed Extrabacon.

Cisco started releasing patches for the affected ASA software roughly ten days after the leak came to light. At the time of writing, only a couple of ASA versions remain unpatched. However, researchers at security firm Rapid7 have determined that there are still numerous vulnerable installations.

An Internet scan conducted using the company’s Project Sonar revealed more than 50,000 Cisco ASA devices, roughly half of which were located in the United States. The list of large organizations housing at least ten such devices included a Japanese telecoms provider, technology and healthcare firms in the U.S., government and financial services organizations in the U.K., a Swedish technology services company, a Brazilian telecoms provider, a Canadian university, and various types of global services providers.

Since in many countries it’s illegal to conduct Internet scans involving login attempts, Rapid7 has tried to determine the number of unpatched devices using hping, a command-line TCP/IP packet analyzer. The tool allowed experts to determine how many of the devices had been rebooted – likely due to the installation of the patches – since Cisco started releasing security updates for its ASA software.

Of the total of 50,000 devices, roughly 12,000 could not be analyzed and approximately 15,000 had been rebooted since the ASA patches were released. This indicates that roughly 38 percent of them have likely been patched.

While the exploit found in the Shadow Brokers dump was designed to work against older versions of ASA, Silent Signal researchers demonstrated that it can be easily adapted for newer versions as well.

Rapid7 pointed out that despite Cisco’s initial warning that all versions of the ASA software are vulnerable, many organizations using newer versions may have underestimated the risk until Silent Signal’s disclosure on August 25.

The ASA flaw, related to the Simple Network Management Protocol (SNMP) and tracked as CVE-2016-6366, can be exploited by a remote attacker to cause a device to reload and for arbitrary code execution. However, Cisco and experts have pointed out that the vulnerability is not easy to exploit as the attacker must be authenticated, likely after compromising the targeted organization’s network, and they must know the SNMP community string, a password used to restrict access to SNMP data on a device.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).