After being alerted to the EXTRABACON flaw on August 13, 2016, Cisco has begun issuing software updates for its Adaptive Security Appliance devices, and other affected devices including its Firepower products.
The EXTRABACON flaw was brought to the attention of Cisco by a group called Shadow Brokers. A couple of weeks ago, Shadow Brokers claimed to have stolen code and exploits from a nation-state spying group called the Equation Group, which is believed to have links to the NSA’s Tailored Access Operations team.
EXTRABACON is a zero-day exploit that is understood to have been developed by the Equation Group. It can be used to attack a range of Cisco security products including its ASA devices.
However, the exploit cannot be used to attack all Cisco ASA devices, only those that have SNMP read access to the firewall and access to telnet or SSH. The EXTRABACON flaw exists in all ASA devices running firmware versions up to an including 9.2(4).
Cisco has released a security alert about the flaw and started issuing software updates on August 24. According to the alert, “The EXTRABACON exploit targets a buffer overflow vulnerability in the SNMP code of the Cisco ASA, Cisco PIX and Cisco Firewall Services Module.”
An attack would not be easy to pull off, but if successful the attacker could take full control of the system and would be able to run arbitrary code after triggering a buffer overflow.
A statement was issued by the Cisco Product Security Incident Response Team saying “We have started publishing fixes for affected versions, and will continue to publish additional fixes for supported releases as they become available in the coming days.”
Any organization that uses the following Cisco products is potentially at risk:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 4100 Series
- Cisco Firepower 9300 ASA Security Module
- Cisco Firepower Threat Defense Software
- Cisco Firewall Services Module (FWSM)
- Cisco Industrial Security Appliance 3000
- Cisco PIX Firewalls
All users should make sure they are running version 9.1.7(9) or later versions, and version 9.x users should also update to the patched version, which is expected to be issued by August 26 at the latest.
Unfortunately, the vulnerability also affects PIX firewalls which are no longer supported. Any organization using a PIX Firewall will not be able to update their software to fix the EXTRABACON flaw.