The danger of the NSA-linked EXTRABACON exploit grew after researchers found an easy way to modify the SNMP exploit...
to be effective against newer versions of Cisco's ASA software.
EXTRABACON, released earlier this month as part of the Shadow Brokers' dump of National Security Agency cyberweapons, was described by Cisco as an exploit targeting a buffer overflow vulnerability in the Simple Network Management Protocol (SNMP) code used in Cisco's Adaptive Security Appliance (ASA) software.
Cisco admitted the underlying vulnerability could be found in all supported versions of SNMP; therefore, all Cisco ASA software releases were also affected. But preliminary research indicated EXTRABACON was designed to be effective against Cisco ASA versions 8.4(4) and earlier.
Silent Signal LLC, a cybersecurity company based in Budapest, Hungary, proved the EXTRABACON code was modular and could easily be modified to make the SNMP exploit work on all Cisco ASA software.
While the SNMP exploit affects all devices running Cisco ASA software, Cisco noted "the attacker must launch the attack from a network residing on that interface. Crafted SNMP traffic coming from any other interface -- outside or inside -- cannot trigger this vulnerability."
Thomas McCarthy, principal security consultant for Nuix, based in Herndon, Va., noted that while successful attacks had to be initiated from within the network, small companies with immature information security programs could still be at higher risk.
"Many of the conditions required to successfully exploit this vulnerability are present. And with tools such as Shodan that scour and map out the internet, it will be trivial for malicious entities to find companies that are vulnerable," McCarthy told SearchSecurity. "This exploit could seriously hurt certain industries or economies in some parts of the world."
Leroy Terrelonge III, regional threat intelligence analyst for Flashpoint, based in New York, said the dangers of an effective SNMP exploit are serious.
"A remote attacker could reboot the system or take complete control of it by causing a buffer overflow in the vulnerable code function," Terrelonge told SearchSecurity. "With this control, attackers could disable the firewall, enabling them to access and pass malware to computers on the targeted network through specifically crafted Simple Network Management Protocol packets to the vulnerable firewall."
Cisco's advisory for the SNMP exploit said patches are planned for rollout Thursday and Friday, and it suggested system administrators can mitigate the issue by only allowing trusted users to have SNMP access and to monitor affected systems using the snmp-server host command.
"The attacker must know the community strings to successfully launch an attack against an affected device. Community strings are passwords that are applied to an ASA device to restrict both read-only and read-write access to the SNMP data on the device," Cisco wrote. "These community strings, as with all passwords, should be carefully chosen to ensure they are not trivial. Community strings should be changed at regular intervals and in accordance with network security policies. For example, the strings should be changed when a network administrator changes roles or leaves the company."
McCarthy said attackers need to line up several conditions to successfully use the SNMP exploit.
"By making sure the SNMP and SSH/Telnet services are accessible only to those that need to administrate the firewalls, you severely limit the ability to use this exploit. It also does not bypass what is known as the enable password, an additional authentication required for changing system configuration," McCarthy said. "Finally, you need to already have read access to the SNMP service. By making sure you use a strong, randomly generated community string -- password for SNMP -- it will hamper the ability to use this exploit."
However, Silent Signal noted even these mitigations may not be enough.
"SNMP is a [User Datagram Protocol] that allows trivial source address spoofing. You should keep this in mind when designing [or] reviewing network-level workarounds," Silent Signal wrote. "Community strings are transferred in plain text on the network. We don't expect the common community strings (like public) to go away any time soon, either."
Learn more about implementing Cisco ASA tools for effective network traffic monitoring.
Find out about the questions surrounding the Shadow Brokers' dump of NSA cyberweapons.
Get info on the Cisco PIX firewall exploit found in the Shadow Brokers' dump.