Cisco ASA and PIX firewall zero-day vulnerability (CVE-2016-6366)

Overview

On August 15, 2016, following the release of information from the ‘Shadow Broker’ group, Cisco was alerted to a vulnerability affecting its ASA and PIX firewalls. As of yesterday (17 August) Cisco has released an official vulnerability advisory on their website (see the references below for further information).

What is the vulnerability?

The vulnerability is a buffer overflow (memory overflow) affecting the code relating to SNMP (Simple Network Management Protocol). For this vulnerability to be a risk to an organization, SNMP would need to be enabled and accessible either internally or externally.

Additionally, an attacker would need to know either the read-only or read-write SNMP community strings to be able to execute the attack. These can be identified through live-enumeration (by sending repeated requests using different community strings). This is something that organizations should monitor over the next few days or until a patch is released and implemented.

Which products are affected?

The following product lines are affected from Cisco, with all software versions confirmed as vulnerable:

• Cisco ASA 5500 Series Adaptive Security Appliances
• Cisco ASA 5500-X Series Next-Generation Firewalls
• Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Cisco ASA 1000V Cloud Firewall
• Cisco Adaptive Security Virtual Appliance (ASAv)
• Cisco Firepower 9300 ASA Security Module
• Cisco PIX Firewalls
• Cisco Firewall Services Module (FWSM)

Exploitation in the public domain

Due to the ‘Shadow Broker’ group releasing several scripts and tools resulting in this vulnerability being disclosed, there is now a working exploit in the public domain. This exploit can be used to remove the username and password authentication requirement.

Currently the ‘enable’ password is still required following the execution of the exploit, although there is information within the released tools and scripts with information on how to obtain the ‘enable’ password. Therefore having an ‘enable’ password should not be considered a valid control for mitigation.

Vulnerability remediation

Cisco has not yet released suitable patches or updates for their products due to the vulnerability being a zero-day disclosure. However, there are several workarounds that can be considered as compensating controls.

SureCloud security experts’ recommendations

In order of priority, our experts recommend the following:

• Disable or filter SNMP (UDP Port 161) on affected product infrastructure.
• Ensure that you are not exposing SNMP to the public Internet under any circumstances.
• Disable Telnet (Default Port 23), and filter SSH (Default Port 22) to trusted management networks.
• Set strong, complex community strings (both for read-only and read-write). Additionally, ensure that these are regularly changed as an organisation would with passwords.

As per their advisory information, Cisco is actively working on a security-patch for affected products, although it is not yet clear when these will become available.

Get in touch

For further information, please contact our security experts. If you are a client, please raise a ticket within the SureCloud Platform or email our support team.​

References

• Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
• XORcat Blog Post: https://xorcat.net/2016/08/16/equationgroup-tool-leak-extrabacon-demo/