Too many Cisco ASA boxes still open to an EXTRABACON attack

Among the Equation Group exploits leaked by the Shadow Brokers, the one named EXTRABACON that targets Cisco ASA devices got the most attention from security researchers and attackers.

It has been demonstrated that the original exploit can be easily modified to work on more recent versions of the Cisco ASA SSL VPN appliances, and researchers armed with honeypots noted that exploitation attempts started soon after the leak.

You would think that news like this would push admins around the world to patch the devices under their control as soon as the patches were made available, but you would be wrong.

Rapid7 researchers Derek Abdine and Bob Rudis have recently used the company’s Project Sonar to see how many potentially vulnerable boxes can be found online.

They point out that “vulnerable” might be too strong a word, as to take advantage of the exploit an attacker has to have the ability to reach the device via UDP SNMP, know the SNMP community string, and have telnet or SSH access to it.

Nevertheless, their scanning effort has revealed that of the 50,000 boxes they found (half of them in the US), only 38,000 could be made to reveal the date of the last reboot (they asked for that information becaused they couldn’t legally test for SNMP and telnet/SSH access).

Of the rest, 10,097 have been rebooted (and that means likely patched) since the exploit has been made public.

Among those that still haven’t done so are telecom providers, financial services companies, tech companies, health care and insurance providers around the world, and a large UK government agency.

“This bird’s eye view of how organizations have reacted to the initial and updated EXTRABACON exploit releases shows that some appear to have assessed the issue as serious enough to react quickly while others have moved a bit more cautiously,” the researchers noted.

“It’s important to stress, once again, that attackers need to have far more than external SSL access to exploit these systems. However, also note that the vulnerability is very real and impacts a wide array of Cisco devices beyond these SSL VPNs. So, while you may have assessed this as a low risk, it should not be forgotten and you may want to ensure you have the most up-to-date inventory of what Cisco ASA devices you are using, where they are located and the security configurations on the network segments with access to them.”

They pointed out that “Cisco patches are generally quick and safe to deploy, so it would be prudent for most organizations to deploy the patch as soon as they can obtain and test it.”