A Vulnerability in Cisco Firewall Products Could Allow for Remote Code Execution
MS-ISAC ADVISORY NUMBER:2016-122
A vulnerability has been discovered in the Simple Network Management Protocol (SNMP) code of Cisco Firewall products, which could allow for remote code execution. Successful exploitation could allow an unauthenticated user to take control of the affected system and perform unauthorized actions. Failed attempts may result in denial of service conditions.
This vulnerability has been publicly disclosed and a tool exists to perform the exploit. There are currently no reports of this vulnerability being exploited in the wild.
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for
- Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco PIX Firewalls
- Cisco Firewall Services Module (FWSM)
- Cisco Industrial Security Appliance 3000
- Cisco Firepower Threat Defense Software
- Cisco Firepower 4100 Series
- Large and medium government entities: HIGH
- Small government entities: HIGH
- Large and medium business entities: HIGH
- Small business entities: HIGH
Cisco firewall products are vulnerable to a buffer overflow affecting the SNMP code, which allows for remote code execution. This vulnerability allows an attacker with knowledge of the device's community string to send maliciously crafted packets to the system and execute code remotely on the system. Failed attempts may crash the device resulting in denial of service conditions.
This vulnerability is associated with stolen exploits and tools taken from the Equation Group. This vulnerability is built into a tool referred to as ExtraBacon which allows for point and click exploitation if all required details are known.
August 25 - UPDATED
Originally this exploit was designed to work against ASA versions up to 8.4(4) but has been successfully modified to effect version 9.2(4). The modification process of this new exploit was described as surprisingly easy, and a walkthrough guide was provided to make these modifications. As a result, modification to other new ASA versions is extremely likely.
Work Arounds/Mitigating Details:
Most of the products listed above, which were affected by this vulnerability are End of Life or End of Support. Cisco has indicated that they will be releasing fixes for supported products.
The attacker must know the device's SNMP community strings in order to successfully launch the attack. Community strings are a password equivalent on Firewall devices to restrict both read-only and read-write access to the SNMP data on the device. Per Cisco, best practices indicate that community strings should be carefully chosen to ensure that they are not trivial, and that should be changed at regular intervals and in accordance with network security policies.
It is recommended that affected devices are configured to only allow trusted users and hosts to have SNMP access and to monitor these systems using the snmp-server host command.
At this time no patches have been released by Cisco addressing this vulnerability.
We recommend the following actions be taken:
Install updates once released by Cisco after appropriate testing..
Verify no unauthorized system modifications have occurred on system before applying patch.
Ensure the enable password is set on the devices in order to prevent privileged access.
Monitor intrusion detection systems for any signs of anomalous activity.
Unless required, limit external network access to affected products..