Zivaro Blog

Addressing the Cisco ASA SNMP Remote Code Execution Vulnerability

As you have probably seen, there has been much in the news lately about the EXTRABACON exploit released by a group of hackers called the Shadow Brokers, who supposedly acquired the exploit (and other cyber weapons) from a different group of hackers, the Equation Group, which is rumored to be affiliated with the National Security […]

As you have probably seen, there has been much in the news lately about the EXTRABACON exploit released by a group of hackers called the Shadow Brokers, who supposedly acquired the exploit (and other cyber weapons) from a different group of hackers, the Equation Group, which is rumored to be affiliated with the National Security Agency (NSA). It may sound like the plot of a “Jason Bourne” movie, but unfortunately this is the real world that we live in now, and there’s a real reason you should care.

It turns out the EXTRABACON exploit can be used to breach Cisco Adaptive Security Appliances (ASAs) and also legacy Cisco PIX Firewalls and Firewall Services Modules. According to Cisco, the ASA SNMP Remote Code Execution vulnerability (CVE-2016-6366) affects Simple Network Management Protocol (SNMP) code of Cisco ASA software and “could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” Both Cisco Intrusion Prevention System (IPS) and TALOS have produced signatures to detect the issue.

A few facts from Cisco about the EXTRABACON exploit and vulnerability:

– SNMP must be configured and enabled in the interface which is receiving the SNMP packets. In a typical network, SNMP is only enabled in the management interface of the Cisco ASA. Subsequently, the attacker must launch the attack from a network residing on that interface. Crafted SNMP traffic coming from any other interface (outside or inside) cannot trigger this vulnerability.

– The SNMP community string needs to be known by the attacker in order to exploit this vulnerability.

– Only traffic directed to the affected system can be used to exploit this vulnerability.

– This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode.

– This vulnerability can be triggered by IPv4 traffic only.

– All supported versions of SNMP (v1, v2c, and 3) are affected by this vulnerability.

– This exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.

– All Cisco ASA Software releases are affected.

Workarounds: Best practice dictates that SNMP should only be configured on trusted interfaces, and access granted to only known SNMP management tools. Administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the snmp-serverhost command.

Cisco has posted fixes for all major ASA versions, although it has said that fixes will not be made available for Cisco Firewall Service Modules and PIX Firewalls as their software is no longer supported.

In addition to EXTRABACON, two other exploits were released by the hackers that can affect Cisco ASA, PIX, and Firewall Services Module. The EPICBANANA exploit leverages a known vulnerability that could enable hackers to execute remote code via command line (CVE-2016-6367), but has been fixed since Cisco ASA version 8.4(3). The JETPLOW exploit is a persistent implant of EPICBANANA but is mitigated by Cisco Secure Boot. Cisco has provided more information about these exploits on their website.

If you have questions or concerns, feel free to reach out to me on LinkedIn.

Michael Edwards is a Principal Architect in Professional Services at GTRI.

3900 E Mexico Avenue, Suite 1000,
Denver, CO 80210