EXTRABACON and EPICBANANA sound like something you might find on the menu at your local drive-thru, but they are actually names given to exploit code targeting vulnerabilities in Cisco ASA and PIX devices and the Firewall Services Module.
The exploits came to light in a large dump of code by an entity going under the name of the Shadow Brokers. Cisco published two security advisories to address these vulnerabilities.
Want Some EXTRABACON?
EXTRABACON (CVE-2016-6366) is a vulnerability in versions 1, 2c and 3 of the Simple Network Management Protocol (SNMP) contained in various versions of Cisco ASA, ASAv, Firepower, FWSM, ISA and PIX products. An affected product would need to have SNMP enabled and the port (by default UDP 161) exposed to an attacker. An attacker would also need to know the configured SNMP community string.
The vulnerability is caused by improper bounds checking. A remote attacker can exploit it by sending specially crafted SNMP packets. These packets may overflow a buffer, potentially resulting in the execution of arbitrary code on the system or causing the device to reload.
IBM X-Force released an advisory and a detection signature, both of which address this vulnerability.
How About an EPICBANANA?
EPICBANANA (CVE-2016-6367) affects Cisco’s ASA, PIX and FWSM. The vulnerability could allow a local authenticated attacker to connect using a protocol such as Telnet or SSH, and then execute arbitrary code or cause a denial-of-service (DOS) condition on a vulnerable system.
EPICBANANA is caused by an error in the command-line interface (CLI) parser. An attacker could exploit the vulnerability by invoking invalid commands.
Comes With Fries, Drink and Serious Security Problems
It is important to address these vulnerabilities because the exploits are publicly available and the affected devices are high-value targets. A breach of these devices can seriously damage an organization’s security posture. An attacker could expose weak perimeter security to access internal systems from the internet and expose sensitive data, such as payment card information or electronic health records.
The first step a security team should to take is to determine if there are vulnerable devices within the organization’s infrastructure. Both advisories provide tables listing the affected and fixed versions of code.
In the case of the EPICBANANA vulnerability and ASA devices, some users may already be running secure versions of code since the vulnerability was first addressed in version 8.4(3). However, versions 8.5, 8.6, 8.7 and 9.0 are also affected.
The table below from the Cisco advisory regarding the EPICBANANA vulnerability shows the details:
| Cisco ASA Major Release |
First Fixed Release |
| 7.2 |
Affected, migrate to 8.4(3) or later |
| 8.0 |
Affected, migrate to 8.4(3) or later |
| 8.1 |
Affected, migrate to 8.4(3) or later |
| 8.2 |
Affected, migrate to 8.4(3) or later |
| 8.3 |
Affected, migrate to 8.4(3) or later |
| 8.4 |
8.4(3) |
| 8.5 |
Affected, migrate to 9.0(1) or later |
| 8.6 |
Affected, migrate to 9.0(1) or later |
| 8.7 |
Affected, migrate to 9.0(1) or later |
| 9.0 |
9.0(1) |
| 9.1 |
Not affected |
| 9.2 |
Not affected |
| 9.3 |
Not affected |
| 9.4 |
Not affected |
| 9.5 |
Not affected |
| 9.6 |
Not affected |
Scroll to view full table
The table from the Cisco advisory addressing the EXTRABACON vulnerability shows details of the affected and fixed versions:
| Cisco ASA Major Release |
First Fixed Release |
| 7.2 |
Affected; migrate to 9.1.7(9) or later |
| 8.0 |
Affected; migrate to 9.1.7(9) or later |
| 8.1 |
Affected; migrate to 9.1.7(9) or later |
| 8.2 |
Affected; migrate to 9.1.7(9) or later |
| 8.3 |
Affected; migrate to 9.1.7(9) or later |
| 8.4 |
Affected; migrate to 9.1.7(9) or later |
| 8.5 |
Affected; migrate to 9.1.7(9) or later |
| 8.6 |
Affected; migrate to 9.1.7(9) or later |
| 8.7 |
Affected; migrate to 9.1.7(9) or later |
| 9.0 |
9.0.4(40) ETA 8/25/2016 |
| 9.1 |
9.1.7(9) |
| 9.2 |
9.2.4(14) ETA 8/25/2016 |
| 9.3 |
9.3.3(10) ETA 8/26/2016 |
| 9.4 |
9.4.3(8) ETA 8/26/2016 |
| 9.5 |
9.5(3) |
| 9.6 |
9.6.1(11) / FTD 6.0.1(2) |
Scroll to view full table
Mitigating Cisco Vulnerabilities
Cisco released updates to address both vulnerabilities. IBM X-Force urged all organizations running vulnerable versions of code to upgrade as soon as possible. It is important to note that the PIX and FWSM have passed their end of life, meaning no software updates will be provided for these devices.
In addition to patching, or as a temporary mitigation until patching can be completed, the vulnerabilities can be controlled by either disabling SNMP, Telnet and SSH. It can also be done by strictly limiting network connectivity to the associated ports, usually TCP ports 22 and 23, and TCP and UDP ports 161 and 162.
It must be noted, however, that these mitigations do not remove the vulnerabilities; they simply limit the ability of potential attackers to exploit them. For additional best practices in securing Cisco devices, we highly recommend adhering to the “Cisco Guide to Harden Cisco ASA Firewall.”
Supersized Security Efforts
As always when it comes to taking action in response to vulnerability advisories, organizations must have an inventory of critical assets so they can identify affected infrastructure, and prioritize patching and mitigation activities. In particular, devices that face the internet, protect sensitive data or handle connections from third parties should take priority.
Audits of logs and network activity can help determine if you’ve already been compromised as a result of vulnerabilities such as EPICBANANA or EXTRABACON. This would enable you to activate your incident response plan as soon as possible, hopefully before data is stolen or destroyed.
Senior Threat and Intelligence Analyst, IBM X-Force