Cisco starts publishing fixes for EXTRABACON exploit

Starting last Wednesday, Cisco has begun publishing fixes for the SNMP RCE flaw in the software of its Adaptive Security Appliances (ASA), which can be triggered through the EXTRABACON exploit leaked by the Shadow Brokers.

The exploit was initially thought to work only on versions 8.4.(4) and earlier of the ASA firewalls, but researchers have recently discovered that with small modifications, the exploit can be made to work on more recent versions of the appliance.

EXTRABACON exploits a zero-day buffer overflow vulnerability (CVE-2016-6366) in the SNMP code of the Cisco ASA, Cisco PIX, and Cisco Firewall Services Module. It allows attackers to execute arbitrary code and obtain full control of the system if certain requirements are met first (the affected device must be configured for SNMP with the snmp-server enable command, the attacker must know the SNMP community string).

Given that the exploit is now public, and modification trivial to hackers who know what to do, it’s just a matter of time until the exploit is widely used by different attackers. Many have already started.

So if you are a user of this particular Cisco product, now is the time to check for fixed software releases and implement them, if possible.

If it’s not possible, the company has also provided workarounds, a Snort rule and a Legacy Cisco IPS Signature that should help with detecting exploitation of the issue, so use those to minimize risk.

The SNMP RCE flaw also affects Cisco Firewall Service Modules and Cisco PIX Firewalls, but their software is no longer supported.

“Further investigations into these devices will not be performed, and fixed software will not be made available,” the company announced.