Remediation Recommendation
On August 15, 2016, following the release of information from the ‘Shadow Broker’ group, Cisco was alerted to a vulnerability affecting its ASA and PIX firewalls. As of yesterday (17 August) Cisco has released an official vulnerability advisory on their website (see the references below for further information).
The vulnerability is a buffer overflow (memory overflow) affecting the code relating to SNMP (Simple Network Management Protocol). For this vulnerability to be a risk to an organization, SNMP would need to be enabled and accessible either internally or externally.
Additionally, an attacker would need to know either the read-only or read-write SNMP community strings to be able to execute the attack. These can be identified through live-enumeration (by sending repeated requests using different community strings). This is something that organizations should monitor over the next few days or until a patch is released and implemented.
Which products are affected?
The following product lines are affected from Cisco, with all software versions confirmed as vulnerable:
Due to the ‘Shadow Broker’ group releasing several scripts and tools resulting in this vulnerability being disclosed, there is now a working exploit in the public domain. This exploit can be used to remove the username and password authentication requirement.
Currently the ‘enable’ password is still required following the execution of the exploit, although there is information within the released tools and scripts with information on how to obtain the ‘enable’ password. Therefore having an ‘enable’ password should not be considered a valid control for mitigation.
Cisco has not yet released suitable patches or updates for their products due to the vulnerability being a zero-day disclosure. However, there are several workarounds that can be considered as compensating controls.
In order of priority, our experts recommend the following:
As per their advisory information, Cisco is actively working on a security-patch for affected products, although it is not yet clear when these will become available.
For further information, please contact our security experts. If you are a client, please raise a ticket within the SureCloud Platform or email our support team.