Zero-day vulnerability in Cisco PIX Firewall

CLI parser buffer overflow
CVE-2016-6367

The vulnerability was revealed after The Shadow Brokers hacking group published documents stolen from Equation Group in 2013. The exploit code was dubbed BENIGNCERTAIN and presumably was used by NSA operatives to infiltrate networks of government organizations and private companies
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.

Firstly the vulnerability received a patch back in 2011.

Known malware:

EPICBANANA.

Vulnerability details

Advisory: SB2016081804 - Local buffer overflow in CLI parser in Cisco ASA Appliances

Vulnerable component: Cisco PIX Firewall

CVE-ID: CVE-2016-6367

CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-119 - Memory corruption

Description:

The vulnerability allows a local user to cause denial of service or execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the command-line interface (CLI) parser. A local authenticated user can trigger buffer overflow and reload the affected device or execute arbitrary code on the target system.

Successful exploitation of this vulnerability will allow a local user to execute arbitrary code on vulnerable system.

The following models of CISCO ASA appliances are affected:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EPICBANANA Exploit.

Public Exploits:

- Cisco ASA / PIX - 'EPICBANANA' Privilege Escalation [Exploit-DB]

External links:

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli
https://blogs.cisco.com/security/shadow-brokers
http://www.thesecurityblogger.com/the-shadow-brokers-epicbananas-and-extrabacon-exploits/
https://www.tripwire.com/state-of-security/latest-security-news/cisco-confirms-two-exploits-found-in...
https://www.bleepingcomputer.com/news/security/researchers-find-strong-connection-between-nsa-hacker...
http://thehackernews.com/2016/08/nsa-hack-exploit.html
http://news.softpedia.com/news/cisco-patches-zero-day-exposed-in-shadow-brokers-leak-507410.shtml
https://arstechnica.com/security/2016/08/cisco-confirms-nsa-linked-zeroday-targeted-its-firewalls-fo...
https://www.symantec.com/connect/blogs/equation-has-secretive-cyberespionage-group-been-breached
https://www.helpnetsecurity.com/2016/08/18/cisco-fortinet-exploits-leaked/
http://techgenix.com/nsa-hack-cisco-releases-patches/
https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equatio...
http://www.eweek.com/security/shadow-brokers-flaw-poses-zero-day-risks-cisco-and-fortinet-warn.html
https://duo.com/blog/newly-released-exploits-affect-cisco-juniper-and-other-vendors

About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.