Users on affected versions of ASA, 7.2, and 8.0 through 8.7, are urged to migrate soon to 9.1.7(9) or later. Newer versions that are also implicated—9.1 through 9.6—are expected to be updated in the next two days in some cases.
“We have started publishing fixes for affected versions, and will continue to publish additional fixes for supported releases as they become available in the coming days,” Cisco’s Omar Santos said today in an updated advisory.
The vulnerability lies in the SNMP code in ASA that could allow an attacker to crash the affected system or remotely execute arbitrary code.
The updates address a buffer overflow vulnerability assigned CVE-2016-6366. An Equation Group exploit found in the data exposed by the ShadowBrokers called EXTRABACON targeted this flaw and allows a remote attacker who crafts special SNMP packets to take advantage of the issue.
The Equation Group is largely believed to have ties to the NSA, and the ShadowBrokers’ exposure of the group’s files included 300MB of exploits, implants and other attacks targeting high-end networking gear from not only Cisco, but also Juniper, Fortinet, WatchGuard and others.
The affected ASA software, Cisco said, runs in a number of its products including Cisco ASA 5500 Series Adaptive Security Appliances, Cisco ASA 5500-X Series Next-Generation Firewalls, Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Cisco ASA 1000V Cloud Firewall, Cisco Adaptive Security Virtual Appliance (ASAv), Cisco Firepower 4100 Series, Cisco Firepower 9300 ASA Security Module, Cisco Firepower Threat Defense Software,
Cisco Firewall Services Module (FWSM), and Cisco Industrial Security Appliance 3000 Cisco PIX Firewalls.
The Equation Group’s original ASA exploit found in the data dump targeted only version 8.4(4) of the software. Researchers from Silent Signal in Hungary, however, were able to add support to the original attack to cover newer versions of ASA up to 9.2(4), released a year ago.
EXTRABACON was analyzed shortly following the ShadowBrokers’ disclosure by a researcher known as Xorcat, who confirmed that the Equation Group exploit for version 8.4(4) of the firewall appliance did indeed provide remote unauthenticated access over SSH or telnet.
“We analyzed the leaked exploit and compared the shellcode for different versions. Then we started to test the exploit in our lab while comparing the firmware binaries of supported and unsupported versions,” said Silent Signal cofounder Balint Varga-Perke. “The main task (apart of setting up the test environment) was mainly to map the targeted code parts of the supported binary to the unsupported one, understand and fix up the leaked shellcode.”
Prior to today’s patches, Cisco had provided its customers with IPS and Snort signatures that detect the vulnerability.