A new serious vulnerability was discovered on Cisco ASA devices, called “EXTRABACON”, and was recently patched by Cisco by releasing several software updates for the device.
You need to carefully read the following security advisory (CVE-2016-6366) from Cisco and patch your devices as soon as possible. At the end of the article above there is a table with software versions which fix the security weakness (see also screenshot below):
If you have an older ASA version (7.x or 8.x) it’s a great opportunity now to update to the newest 9.x (actually you will need to update to 9.1.7(9) or later to fix the problem). Just make sure that your ASA device has the required minimum RAM memory size to support the new software release.
The vulnerability affects all versions of SNMP (1,2c,3) and is based on a buffer overload weakness which allows an attacker to take full control of the firewall device.
Almost all Cisco ASA products and models (ASA 5500, ASA 5500-X, 1000v, service module on 6500 switches, Firepower models etc) are affected by this vulnerability.
The same vulnerability affects also other firewall vendors such as Juniper and Fortinet and has been linked to National Security Agency (NSA).
The exploit code (ExtraBacon) and the vulnerability were disclosed by a group called “Shadow Brokers” who claim that they hacked another advanced hacking group (“Equation Group”) which is believed to be connected with NSA.
Workaround for the vulnerability
As I described in a previous article about Security Hardening for Cisco devices, at point #10 in the article I suggest to Restrict and Secure SNMP access so that only limited management computers can have SNMP communication with the device. Although the article above refers mainly to Cisco Routers and Switches, the same security practice of SNMP protection applies also to ASA firewalls and any other network appliance with SNMP enabled.
In order for the “ExtraBacon” vulnerability to be exploited, an attacker must have SNMP access to the ASA firewall. Therefore, by properly restricting SNMP access to only a few trusted internal computers, you immediately “raise the bar” for an attacker to take control of the device.
Here is how to configure SNMP on Cisco ASA firewalls:
The above creates a community string or F$3dgh-2^[email protected] and allows only host 192.168.1.1 from the “inside” zone to communicate with SNMP.
More info on Cisco ASA SNMP configuration below:
- Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)
- Cisco ASA 5500-X Firewall Security Levels Explained
- How to Block HTTP DDoS Attack with Cisco ASA Firewall
- How to Block Access to Websites with a Cisco ASA Firewall (with FQDN)
- DNS Doctoring – Access Internal WebSite using its public URL