Remote code execution in Cisco ASA Appliances
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-6366 |
| CWE-ID | CWE-119 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Cisco ASA 5500 Hardware solutions / Security hardware applicances Cisco ASA 5580 Hardware solutions / Security hardware applicances Cisco Catalyst 6500 Series ASA Services Module Hardware solutions / Security hardware applicances Cisco ASA 5500-X Series Hardware solutions / Security hardware applicances Cisco ASA 1000V Cloud Firewall Hardware solutions / Security hardware applicances Cisco ASA Series Hardware solutions / Security hardware applicances |
| Vendor | Cisco Systems, Inc |
Security Bulletin
This security bulletin contains one critical risk vulnerability.
1) SNMP remote code execution
EUVDB-ID: #VU324
Risk: Critical
CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2016-6366
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when handling SNMP packets. A remote attacker with knowledge of SNMP community string can cause buffer overflow and cause the target device to reload or execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in full compromise of affected system.
The following models of CISCO ASA appliances are affected:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco PIX Firewalls
- Cisco Firewall Services Module (FWSM)
Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EXTRABACON Exploit.
MitigationInstall patches from vendor's website.
Cisco ASA 5500: 7.2.5 - 8.4.x
Cisco ASA 5580: 8.1.2
Cisco Catalyst 6500 Series ASA Services Module: All versions
Cisco ASA 5500-X Series: 8.6.x
Cisco ASA 1000V Cloud Firewall: 8.7.1
Cisco ASA Series: 9.0.x - 9.6.x
CPE2.3- cpe:2.3:h:cisco_systems:cisco_asa_5500:7.2.5:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_5500:8.0.5:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_5500:8.2.x:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_5580:8.1.2:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_catalyst_6500_series_asa_services_module:*:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_5500-x_series:8.6.x:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_1000v_cloud_firewall:8.7.1:*:*:*:*:asa:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_series:9.0.x:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_series:9.1.x:*:*:*:*:*:*:*
- cpe:2.3:h:cisco_systems:cisco_asa_series:9.2.x:*:*:*:*:*:*:*
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
https://blogs.cisco.com/security/shadow-brokers
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
