Thousands of Cisco ASA firewalls are still at risk from a security flaw despite Cisco rolling out a patch to fix the problem.
The exploit, dubbed Extrabacon, is an authentication bypass exploit that is alleged to have been created by the US National Security Agency (NSA).
The exploit was found as part of a leaked cache from the Equation Group by a gang of hackers known as the Shadow Brokers. According to a blog post by Rapid7, security researchers at SilentSignal noted that it was possible to modify the Extrabacon exploit from the initial dump to work on newer Cisco ASA devices, meaning that virtually all ASA devices (8.x to 9.2(4)) are vulnerable. The Equation Group is thought to be a part of the NSA that launches attacks.
According to Derek Abdine and Bob Rudis, while a patch has been rushed out by Cisco, thousands of Cisco devices remain unpatched and vulnerable to attack. The pair discovered in a scan of 50,000 devices on the internet, only 10,097 had rebooted to get the patch on offer. Another 28,000 were not updated. Around 12,000 devices refused to provide timestamp information, so it is not known if these routers are patched or not.
The researchers said that among the organisations with vulnerable routers were a UK government agency, a large UK financial services company, four large US firms and a Japanese telecoms company.
It has to be said that exploiting Extrabacon is not an easy thing to do, despite it being a critical vulnerability, according to the researchers. This is because the ASA device must have SNMP enabled and an attacker must have the ability to reach the device via UDP SNMP and know the SNMP community string. Also, an attacker must also have telnet or SSH access to the devices.
“This generally makes the Extrabacon attack something that would occur within an organization's network, specifically from a network segment that has SNMP and telnet/SSH access to a vulnerable device. So, the world is not ending, the internet is not broken and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit,” the researchers said in a blog post.
"Even though there's a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments," the pair added.
The researchers warned organisations that the flaw is a “pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it."
The pair added that organisations may want to ensure they have the most up-to-date inventory of what Cisco ASA devices they are using, where they are located and the security configurations on the network segments with access to them.
“As always when it comes to taking action in response to vulnerability advisories, organizations must have an inventory of critical assets so they can identify affected infrastructure, and prioritize patching and mitigation activities. In particular, devices that face the internet, protect sensitive data or handle connections from third parties should take priority,” Lyndon Sutherland, senior threat and intelligence analyst at IBM X-Force wrote in a blog.
“Audits of logs and network activity can help determine if you've already been compromised,” he added. “This would enable you to activate your incident response plan as soon as possible, hopefully before data is stolen or destroyed.”