Leaked EXTRABACON exploit can work on newer Cisco ASA firewalls
EXTRABACON, one of the Equation Group exploits leaked by the Shadow Brokers, can be made to work on a wider range of Cisco Adaptive Security Appliance (ASA) firewalls than previously reported.
We successfully ported EXTRABACON to ASA 9.2(4) #ShadowBrokers #Cisco pic.twitter.com/UPG6yq9Km2
— SilentSignal (@SilentSignalHU) August 23, 2016
The leaked exploit of the zero-day buffer overflow vulnerability (CVE-2016-6366) in the SNMP code of the Cisco ASA, Cisco PIX, and Cisco Firewall Services Module can compromise versions 8.4.(4) and earlier of the ASA firewalls, but researchers from Hungarian pentesting firm SilentSignal have managed to modify it so that it can also work on ASA 9.2.(4).
Cisco did say in its initial security advisory that all Cisco ASA software releases are affected by the flaw, and Omar Santos, the Principal Engineer in the Cisco Product Security Incident Response Team, tested the original exploit against a Cisco ASA 5506 running version 9.4(1), causing the ASA to crash.
Ars Technica’s Dan Goodin reports that the upgraded exploit required little work, but its efficiency is still dependent on the attacker having already compromised parts of a targeted network, and things like the affected device being configured for SNMP with the snmp-server enable command and knowing the SNMP community string.
What all of this means is that now that the exploit is public, capable hackers will be able to do what SilentSignal researchers have done, and use the exploit in attacks or sell it to those interested in performing them.
With Cisco ASA boxes widely deployed by large organizations and government agencies, there is no lack of potential targets.
The aforementioned attack constraints limit the number of potential attackers, but with many state-sponsored outfits and organised cybercrime groups that are actively targeting anything and everything, that number is far from negligible.
Unfortunately, Cisco is yet to come up with a definite solution for the issue, and has so far offered just workarounds and signatures aimed at allowing the detection of active exploitation of the zero-day flaw.