Networks Training

You are here: Home / Cisco ASA General / ExtraBacon Cisco ASA Vulnerability

ExtraBacon Cisco ASA Vulnerability

cisco-asa-extrabacon

A new serious vulnerability was discovered on Cisco ASA devices, called “EXTRABACON”, and was recently patched by Cisco by releasing several software updates for the device.

You need to carefully read the following security advisory (CVE-2016-6366) from Cisco and patch your devices as soon as possible. At the end of the article above there is a table with software versions which fix the security weakness (see also screenshot below):

extrabacon-asa-update-versions

source: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

If you have an older ASA version (7.x or 8.x) it’s a great opportunity now to update to the newest 9.x (actually you will need to update to 9.1.7(9) or later to fix the problem). Just make sure that your ASA device has the required minimum RAM memory size to support the new software release.

The vulnerability affects all versions of SNMP (1,2c,3) and is based on a buffer overload weakness which allows an attacker to take full control of the firewall device.

MORE READING:  Access List & NAT on Cisco ASA Firewall-Order of Operation & Examples

Almost all Cisco ASA products and models (ASA 5500, ASA 5500-X, 1000v, service module on 6500 switches, Firepower models etc) are affected by this vulnerability.

The same vulnerability affects also other firewall vendors such as Juniper and Fortinet and has been linked to National Security Agency (NSA).

The exploit code (ExtraBacon) and the vulnerability were disclosed by a group called “Shadow Brokers” who claim that they hacked another advanced hacking group (“Equation Group”) which is believed to be connected with NSA.

Workaround for the vulnerability

As I described in a previous article about Security Hardening for Cisco devices, at point #10 in the article I suggest to Restrict and Secure SNMP access so that only limited management computers can have SNMP communication with the device. Although the article above refers mainly to Cisco Routers and Switches, the same security practice of SNMP protection applies also to ASA firewalls and any other network appliance with SNMP enabled.

MORE READING:  Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)

In order for the “ExtraBacon” vulnerability to be exploited, an attacker must have SNMP access to the ASA firewall. Therefore, by properly restricting SNMP access to only a few trusted internal computers, you immediately “raise the bar” for an attacker to take control of the device.

Here is how to configure SNMP on Cisco ASA firewalls:

ASA(config)# snmp-server enable 
ASA(config)# snmp-server host inside 192.168.1.1 community F$3dgh-2^[email protected]
ASA(config)# snmp-server community F$3dgh-2^[email protected]

The above creates a community string or F$3dgh-2^[email protected] and allows only host 192.168.1.1 from the “inside” zone to communicate with SNMP.

More info on Cisco ASA SNMP configuration below:

https://www.networkstraining.com/how-to-configure-snmp-on-cisco-asa-5500-firewall/

 

Related Posts

Filed Under: Cisco ASA General

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING

BLOGROLL

Tech21Century
Firewall.cx