Crispy EXTRABACON Cisco Router Exploit Exposed By NSA Cyber Toolkit Heist

We wrote a couple of days ago about a huge treasure trove of alleged NSA-derived exploits that were hitting the market. That gold mine was accessed by a group calling itself Shadow Brokers, and it's been said that their source was Equation Group, which is believed to be an extension of the NSA.

At that time, there was no proof that any of the exploits contained in the collection were still valid. Quickly, some noted that a few of the targets were already patched, leading the rest of us to believe that the entire collection came a bit too late. However, anyone who thought that might have to back it up a wee bit, as Cisco has today confirmed that one of the exploits contained within that collection is valid.

The two valid exploits are EPICBANANA and EXTRABACON (yes, really), and while the former was patched years ago, the super delicious latter one had gone under Cisco's radar. That means that if this collection did in fact come from NSA-based sources, the agency could have been exploiting the flaw all of this time. It wasn't a proof-of-concept, and the exploit was never reported to Cisco.

Cisco HyperFlex

Cisco shows the vulnerability as "High" on the severity scale, and as of yet, there are no fixes. However, we can imagine that Cisco engineers will be working around the clock until a fix gets out the door. Vulnerable products include:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

If the attack is successful, attackers would gain enough access to the devices to remotely execute code, which could lead to a variety of issues - from downed services to sensitive information leaked.

Is this the beginning of interesting things to come out of this trove? Those who want to sell it are said to be willing to let loose some more of its contents in order to help persuade buyers, so we might not be through this yet. Perhaps even more interesting than the collection of exploits itself is finding out for certain whether they came from the NSA or not. At this point, it's still all hearsay.