Zero-day vulnerability in Cisco ASA Series

SNMP remote code execution
CVE-2016-6366

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed ExtraBacon and presumably used by NSA operatives to infiltrate networks of government organizations and private companies.

Known malware:

ExtraBacon.

Vulnerability details

Advisory: SB2016081803 - Remote code execution in Cisco ASA Appliances

Vulnerable component: Cisco ASA Series

CVE-ID: CVE-2016-6366

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when handling SNMP packets. A remote attacker with knowledge of SNMP community string can cause buffer overflow and cause the target device to reload or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in full compromise of affected system.

The following models of CISCO ASA appliances are affected:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EXTRABACON Exploit.

Public Exploits:

- Cisco ASA 8.x - 'EXTRABACON' Authentication Bypass [Exploit-DB]

External links:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
https://www.surecloud.com/security-bulletins/cisco-asa-pix-firewall-zero-day-vulnerability-cve-2016-...
http://securityaffairs.co/wordpress/51410/hacking/cve-2016-6415.html
https://threatpost.com/cisco-begins-patching-equation-group-asa-zero-day/120124/
http://www.bankinfosecurity.com/cisco-patches-asa-devices-against-extrabacon-a-9360
http://news.softpedia.com/news/cisco-patches-zero-day-exposed-in-shadow-brokers-leak-507410.shtml
https://threatpost.com/leaked-shadowbrokers-attack-upgraded-to-target-current-versions-of-cisco-asa/...
https://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-fo...
ttps://thehackernews.com/2016/08/nsa-hack-exploit.html

https://duo.com/blog/newly-released-exploits-affect-cisco-juniper-and-other-vendors
http://www.securityweek.com/cisco-finds-new-zero-day-linked-shadow-brokers-exploit
https://www.symantec.com/connect/blogs/equation-has-secretive-cyberespionage-group-been-breached
https://www.helpnetsecurity.com/2016/08/18/cisco-fortinet-exploits-leaked/

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.