Networks Training

ExtraBacon Cisco ASA Vulnerability

cisco-asa-extrabacon

A new serious vulnerability was discovered on Cisco ASA devices, called “EXTRABACON”, and was recently patched by Cisco by releasing several software updates for the device.

You need to carefully read the following security advisory (CVE-2016-6366) from Cisco and patch your devices as soon as possible. At the end of the article above there is a table with software versions which fix the security weakness (see also screenshot below):

extrabacon-asa-update-versions

source: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp

If you have an older ASA version (7.x or 8.x) it’s a great opportunity now to update to the newest 9.x (actually you will need to update to 9.1.7(9) or later to fix the problem). Just make sure that your ASA device has the required minimum RAM memory size to support the new software release.

The vulnerability affects all versions of SNMP (1,2c,3) and is based on a buffer overload weakness which allows an attacker to take full control of the firewall device.

MORE READING:  Cisco Firewall Service Module - FWSM

Almost all Cisco ASA products and models (ASA 5500, ASA 5500-X, 1000v, service module on 6500 switches, Firepower models etc) are affected by this vulnerability.

The same vulnerability affects also other firewall vendors such as Juniper and Fortinet and has been linked to National Security Agency (NSA).

The exploit code (ExtraBacon) and the vulnerability were disclosed by a group called “Shadow Brokers” who claim that they hacked another advanced hacking group (“Equation Group”) which is believed to be connected with NSA.

Workaround for the vulnerability

As I described in a previous article about Security Hardening for Cisco devices, at point #10 in the article I suggest to Restrict and Secure SNMP access so that only limited management computers can have SNMP communication with the device. Although the article above refers mainly to Cisco Routers and Switches, the same security practice of SNMP protection applies also to ASA firewalls and any other network appliance with SNMP enabled.

MORE READING:  Cisco ASA Multiple Context Mode – Configuring Virtual Firewalls on Same Chassis

In order for the “ExtraBacon” vulnerability to be exploited, an attacker must have SNMP access to the ASA firewall. Therefore, by properly restricting SNMP access to only a few trusted internal computers, you immediately “raise the bar” for an attacker to take control of the device.

Here is how to configure SNMP on Cisco ASA firewalls:

ASA(config)# snmp-server enable 
ASA(config)# snmp-server host inside 192.168.1.1 community F$3dgh-2^[email protected]
ASA(config)# snmp-server community F$3dgh-2^[email protected]

The above creates a community string or F$3dgh-2^[email protected] and allows only host 192.168.1.1 from the “inside” zone to communicate with SNMP.

More info on Cisco ASA SNMP configuration below:

https://www.networkstraining.com/how-to-configure-snmp-on-cisco-asa-5500-firewall/

 

Filed Under: Cisco ASA General

Leave a Reply

Your email address will not be published. Required fields are marked *

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Suggested Cisco Training

CISCO CERTIFICATION TRAINING
CISCO CCNA 200-120 TRAINING
CCNA SECURITY 640-554 TRAINING
CCENT ICND1 TRAINING
CISCO ICND2 TRAINING
CISCO CCNP TRAINING