EXTRABACON and EPICBANANA sound like something you might find on the menu at your local drive-thru, but they are actually names given to exploit code targeting vulnerabilities in Cisco ASA and PIX devices and the Firewall Services Module.

The exploits came to light in a large dump of code by an entity going under the name of the Shadow Brokers. Cisco published two security advisories to address these vulnerabilities.

Want Some EXTRABACON?

EXTRABACON (CVE-2016-6366) is a vulnerability in versions 1, 2c and 3 of the Simple Network Management Protocol (SNMP) contained in various versions of Cisco ASA, ASAv, Firepower, FWSM, ISA and PIX products. An affected product would need to have SNMP enabled and the port (by default UDP 161) exposed to an attacker. An attacker would also need to know the configured SNMP community string.

The vulnerability is caused by improper bounds checking. A remote attacker can exploit it by sending specially crafted SNMP packets. These packets may overflow a buffer, potentially resulting in the execution of arbitrary code on the system or causing the device to reload.

IBM X-Force released an advisory and a detection signature, both of which address this vulnerability.

How About an EPICBANANA?

EPICBANANA (CVE-2016-6367) affects Cisco’s ASA, PIX and FWSM. The vulnerability could allow a local authenticated attacker to connect using a protocol such as Telnet or SSH, and then execute arbitrary code or cause a denial-of-service (DOS) condition on a vulnerable system.

EPICBANANA is caused by an error in the command-line interface (CLI) parser. An attacker could exploit the vulnerability by invoking invalid commands.

Comes With Fries, Drink and Serious Security Problems

It is important to address these vulnerabilities because the exploits are publicly available and the affected devices are high-value targets. A breach of these devices can seriously damage an organization’s security posture. An attacker could expose weak perimeter security to access internal systems from the internet and expose sensitive data, such as payment card information or electronic health records.

The first step a security team should to take is to determine if there are vulnerable devices within the organization’s infrastructure. Both advisories provide tables listing the affected and fixed versions of code.

In the case of the EPICBANANA vulnerability and ASA devices, some users may already be running secure versions of code since the vulnerability was first addressed in version 8.4(3). However, versions 8.5, 8.6, 8.7 and 9.0 are also affected.

The table below from the Cisco advisory regarding the EPICBANANA vulnerability shows the details:

Cisco ASA Major Release First Fixed Release
7.2 Affected, migrate to 8.4(3) or later
8.0 Affected, migrate to 8.4(3) or later
8.1 Affected, migrate to 8.4(3) or later
8.2 Affected, migrate to 8.4(3) or later
8.3 Affected, migrate to 8.4(3) or later
8.4 8.4(3)
8.5 Affected, migrate to 9.0(1) or later
8.6 Affected, migrate to 9.0(1) or later
8.7 Affected, migrate to 9.0(1) or later
9.0 9.0(1)
9.1 Not affected
9.2 Not affected
9.3 Not affected
9.4 Not affected
9.5 Not affected
9.6 Not affected
Scroll to view full table

The table from the Cisco advisory addressing the EXTRABACON vulnerability shows details of the affected and fixed versions:

Cisco ASA Major Release First Fixed Release
7.2 Affected; migrate to 9.1.7(9) or later
8.0 Affected; migrate to 9.1.7(9) or later
8.1 Affected; migrate to 9.1.7(9) or later
8.2 Affected; migrate to 9.1.7(9) or later
8.3 Affected; migrate to 9.1.7(9) or later
8.4 Affected; migrate to 9.1.7(9) or later
8.5 Affected; migrate to 9.1.7(9) or later
8.6 Affected; migrate to 9.1.7(9) or later
8.7 Affected; migrate to 9.1.7(9) or later
9.0 9.0.4(40) ETA 8/25/2016
9.1 9.1.7(9)
9.2 9.2.4(14) ETA 8/25/2016
9.3 9.3.3(10) ETA 8/26/2016
9.4 9.4.3(8) ETA 8/26/2016
9.5 9.5(3)
9.6 9.6.1(11) / FTD 6.0.1(2)
Scroll to view full table

Mitigating Cisco Vulnerabilities

Cisco released updates to address both vulnerabilities. IBM X-Force urged all organizations running vulnerable versions of code to upgrade as soon as possible. It is important to note that the PIX and FWSM have passed their end of life, meaning no software updates will be provided for these devices.

In addition to patching, or as a temporary mitigation until patching can be completed, the vulnerabilities can be controlled by either disabling SNMP, Telnet and SSH. It can also be done by strictly limiting network connectivity to the associated ports, usually TCP ports 22 and 23, and TCP and UDP ports 161 and 162.

It must be noted, however, that these mitigations do not remove the vulnerabilities; they simply limit the ability of potential attackers to exploit them. For additional best practices in securing Cisco devices, we highly recommend adhering to the “Cisco Guide to Harden Cisco ASA Firewall.”

Supersized Security Efforts

As always when it comes to taking action in response to vulnerability advisories, organizations must have an inventory of critical assets so they can identify affected infrastructure, and prioritize patching and mitigation activities. In particular, devices that face the internet, protect sensitive data or handle connections from third parties should take priority.

Audits of logs and network activity can help determine if you’ve already been compromised as a result of vulnerabilities such as EPICBANANA or EXTRABACON. This would enable you to activate your incident response plan as soon as possible, hopefully before data is stolen or destroyed.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read