Researchers from security firm Rapid7 have been assessing the speed at which organizations have been addressing the EXTRABACON vulnerability, which was discovered to affect a range of Cisco appliances and security products last month. Cisco has updated its software to remediate the zero-day vulnerability, but many organizations have been slow to apply the update.
Researchers Derek Abdine and Bob Rudis conducted a scan of 50,000 devices and discovered that only 10,097 of the devices had been rebooted since August 26 to receive the patch. That suggests that as many as 28,000 Cisco ASA devices remain unpatched and still have the EXTRABACON vulnerability. Since the exploit is now publicly available, any organization that has yet to update the software on affected Cisco devices is at risk of attack.
Abdine and Rudis said that a large US healthcare organization running 20 ASA devices has yet to address the vulnerability along with four other large US firms. Other organizations known to be at risk include a Japanese telcoms company. More than half of the unpatched devices are located in the United States (25,644). In second place is Germany with 3,115 unpatched Cisco ASA SSL VPN devices, with the UK in third with 2,597 devices.
The EXTRABACON vulnerability affects Cisco ASA devices, including Firepower appliances, as well as PIX Firewalls, although since the latter are unsupported no software update will be provided to correct the EXTRABACON vulnerability. All other products can be updated to remediate the flaw.
The exploit for the vulnerability is understood to have been developed by the Equation Group, which some security experts believe to be working closely with the U.S. National Security Agency (NSA). Code and exploits were stolen from the group by a group of hackers operating under the name Shadow Brokers. The exploit was dumped by the hackers on August 13.
While the original exploit only worked on older versions of Cisco software, it has since been modified by the security researchers from the Hungarian security firm SilentSignal and can be used to attack all unpatched Cisco ASA devices running versions 8x to 9.2(4).
Fortunately, the EXTRABACON vulnerability is difficult to pull off. For the exploit to work, the device must have SNMP enabled and it must be possible to connect to the device via UDP SNMP. The attacker would also need to know the SNMP community string or a username and password.
According to a recent Rapid7 blog post, “The world is not ending, the internet is not broken, and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit.” However, this is a critical vulnerability and software should be updated ASAP.