Cisco releases patches for vulnerabilities used in NSA exploits

Cisco has released patches for vulnerabilities in its ASA firewalls. These came to light through the publication of several exploits by a group called Shadowbrokers. The exploits come from the American NSA.

In an update of an earlier message, Cisco writes that it has started releasing patches for the so-called ExtraBacon exploit. The vulnerability with attribute cve-2016-6366 allowed an attacker to take control of an ASA firewall through a special snmp package. In addition, the attacker must already have control over the network, a Cisco employee previously explained to Threatpost.

Initially, the exploit only appeared to work on versions 8.4(4) and below of the firewall software. However, this week the Hungarian security company Silent Signal found out that ExtraBacon is easy to adapt to also be applied to newer versions of the software. The company was able to get the exploit working until version 9.2(4) of the software, which revealed a greater number of ASA firewalls to be vulnerable. Silent Signal says it will not release newer versions of the exploit on Thursday until patches are available. Cisco has published a timeline for the expected patches, with most updates scheduled for this week.

The exploits, including ExtraBacon, came to light early last week when the Shadowbrokers posted a message on GitHub. In it, they claimed that the exploits came from the Equation Group, which is linked to the NSA. The group also announced that it would offer “even better software” through an auction. So far, however, there has been no further communication about this and only slightly less than 900 euros has been transferred to the specified bitcoin address. The exploits are written for equipment from Cisco, Fortinet and Juniper, among others. Some of these companies recently published a warning about the Shadowbrokers files.