August 31, 2016 By Lyndon Sutherland 3 min read

EXTRABACON and EPICBANANA sound like something you might find on the menu at your local drive-thru, but they are actually names given to exploit code targeting vulnerabilities in Cisco ASA and PIX devices and the Firewall Services Module.

The exploits came to light in a large dump of code by an entity going under the name of the Shadow Brokers. Cisco published two security advisories to address these vulnerabilities.


EXTRABACON (CVE-2016-6366) is a vulnerability in versions 1, 2c and 3 of the Simple Network Management Protocol (SNMP) contained in various versions of Cisco ASA, ASAv, Firepower, FWSM, ISA and PIX products. An affected product would need to have SNMP enabled and the port (by default UDP 161) exposed to an attacker. An attacker would also need to know the configured SNMP community string.

The vulnerability is caused by improper bounds checking. A remote attacker can exploit it by sending specially crafted SNMP packets. These packets may overflow a buffer, potentially resulting in the execution of arbitrary code on the system or causing the device to reload.

IBM X-Force released an advisory and a detection signature, both of which address this vulnerability.

How About an EPICBANANA?

EPICBANANA (CVE-2016-6367) affects Cisco’s ASA, PIX and FWSM. The vulnerability could allow a local authenticated attacker to connect using a protocol such as Telnet or SSH, and then execute arbitrary code or cause a denial-of-service (DOS) condition on a vulnerable system.

EPICBANANA is caused by an error in the command-line interface (CLI) parser. An attacker could exploit the vulnerability by invoking invalid commands.

Comes With Fries, Drink and Serious Security Problems

It is important to address these vulnerabilities because the exploits are publicly available and the affected devices are high-value targets. A breach of these devices can seriously damage an organization’s security posture. An attacker could expose weak perimeter security to access internal systems from the internet and expose sensitive data, such as payment card information or electronic health records.

The first step a security team should to take is to determine if there are vulnerable devices within the organization’s infrastructure. Both advisories provide tables listing the affected and fixed versions of code.

In the case of the EPICBANANA vulnerability and ASA devices, some users may already be running secure versions of code since the vulnerability was first addressed in version 8.4(3). However, versions 8.5, 8.6, 8.7 and 9.0 are also affected.

The table below from the Cisco advisory regarding the EPICBANANA vulnerability shows the details:

Cisco ASA Major Release First Fixed Release
7.2 Affected, migrate to 8.4(3) or later
8.0 Affected, migrate to 8.4(3) or later
8.1 Affected, migrate to 8.4(3) or later
8.2 Affected, migrate to 8.4(3) or later
8.3 Affected, migrate to 8.4(3) or later
8.4 8.4(3)
8.5 Affected, migrate to 9.0(1) or later
8.6 Affected, migrate to 9.0(1) or later
8.7 Affected, migrate to 9.0(1) or later
9.0 9.0(1)
9.1 Not affected
9.2 Not affected
9.3 Not affected
9.4 Not affected
9.5 Not affected
9.6 Not affected
Scroll to view full table

The table from the Cisco advisory addressing the EXTRABACON vulnerability shows details of the affected and fixed versions:

Cisco ASA Major Release First Fixed Release
7.2 Affected; migrate to 9.1.7(9) or later
8.0 Affected; migrate to 9.1.7(9) or later
8.1 Affected; migrate to 9.1.7(9) or later
8.2 Affected; migrate to 9.1.7(9) or later
8.3 Affected; migrate to 9.1.7(9) or later
8.4 Affected; migrate to 9.1.7(9) or later
8.5 Affected; migrate to 9.1.7(9) or later
8.6 Affected; migrate to 9.1.7(9) or later
8.7 Affected; migrate to 9.1.7(9) or later
9.0 9.0.4(40) ETA 8/25/2016
9.1 9.1.7(9)
9.2 9.2.4(14) ETA 8/25/2016
9.3 9.3.3(10) ETA 8/26/2016
9.4 9.4.3(8) ETA 8/26/2016
9.5 9.5(3)
9.6 9.6.1(11) / FTD 6.0.1(2)
Scroll to view full table

Mitigating Cisco Vulnerabilities

Cisco released updates to address both vulnerabilities. IBM X-Force urged all organizations running vulnerable versions of code to upgrade as soon as possible. It is important to note that the PIX and FWSM have passed their end of life, meaning no software updates will be provided for these devices.

In addition to patching, or as a temporary mitigation until patching can be completed, the vulnerabilities can be controlled by either disabling SNMP, Telnet and SSH. It can also be done by strictly limiting network connectivity to the associated ports, usually TCP ports 22 and 23, and TCP and UDP ports 161 and 162.

It must be noted, however, that these mitigations do not remove the vulnerabilities; they simply limit the ability of potential attackers to exploit them. For additional best practices in securing Cisco devices, we highly recommend adhering to the “Cisco Guide to Harden Cisco ASA Firewall.”

Supersized Security Efforts

As always when it comes to taking action in response to vulnerability advisories, organizations must have an inventory of critical assets so they can identify affected infrastructure, and prioritize patching and mitigation activities. In particular, devices that face the internet, protect sensitive data or handle connections from third parties should take priority.

Audits of logs and network activity can help determine if you’ve already been compromised as a result of vulnerabilities such as EPICBANANA or EXTRABACON. This would enable you to activate your incident response plan as soon as possible, hopefully before data is stolen or destroyed.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today