
Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability - runesoerensen
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
======
moyix
This is the vulnerability exploited by EXTRABACON:
[https://xorcatt.wordpress.com/2016/08/16/equationgroup-
tool-...](https://xorcatt.wordpress.com/2016/08/16/equationgroup-tool-leak-
extrabacon-demo/)

~~~
salem
So it seems the dump contains at least one legit 0-day, and it's been in use
for 3 years.

~~~
Someone1234
Which does at least HINT that it might be what it claims to be. That's a
pretty impressive 0-day which they just gave away as a freebie, who knows what
they didn't give away.

I will say we'll never get real confirmation if this was actually stolen from
the NSA, but if the other bundle contains a bunch of nice original
vulnerabilities people will presume it was.

~~~
moyix
Washington post got former NSA TAO employees to go on record (anonymously)
confirming the leaked toolkit comes from NSA:

[https://www.washingtonpost.com/world/national-
security/power...](https://www.washingtonpost.com/world/national-
security/powerful-nsa-hacking-tools-have-been-revealed-
online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html)

~~~
wang_li
Good. Given that these tools no longer can be considered available only to the
NSA, they might start working with vendors to close these particular set of
holes.

~~~
DanielDent
I wonder how this leak affects their "vulnerabilities equities process".

The publicly available data would suggest that thus-far NSA-hoarded
vulnerabilities are definitively known to actors who appear willing to act
against US interests.

Vendor disclosure means those vulnerabilities can be patched and US interests
can cease being vulnerable, but could also confirm NSA awareness of
vulnerabilities - which could in turn cause attribution concerns for past or
present operations the NSA is undertaking or has undertaken using these
vulnerabilities (in addition to providing additional credibility to the
leaker).

What a tangled web.

------
tptacek
Is there some foreign government or organization that buys large numbers of
ASAs, enables SNMP on them, exposes SNMP to the Internet on them, and uses
predictable SNMP community strings? (For people w/o net ops experience: the
SNMP "community" is your shared SNMP password, and in competent networks will
be approximately as unguessable as a login password).

~~~
ryanlol
I scanned. The answer seems to be no, nobody is doing that.

~~~
tptacek
So then this vulnerability is pretty much only useful (1) for persisting onto
networks you've already compromised (2) and only in cases where you can apply
consultative effort to discover the SNMP community string?

Or maybe there are lots of overseas networks where they enable SNMP and leave
the community string "public"?

(Also: how batshit crazy is it that the ASA will let you use "public" as your
community string, let alone default to it?)

~~~
mschuster91
> So then this vulnerability is pretty much only useful (1) for persisting
> onto networks you've already compromised

No! For example, at one place I was employed at, the switches had different
VLANs - one for private internal network, one which had external (direct)
internet access, one for VoIP telephones, one for printers, one for servers
and one for BYOD external consultants. Basically, compartmentalization - and
everything was firewalled, and every cross-VLAN access had to be separately
allowed.

So this exploit (or, for that matter any switch/router exploit) can be used
not just for persisting, but for escalating privileges. Assume you have hacked
a fax printer via the telephone line (hey, given that, I'm tempted to actually
grab a modem and do some fuzzing with my fax printer...), you can then use its
network connection to punch holes in the firewall and spread.

~~~
tptacek
Yeah I guess, but I think that scenario is way less common than you think it
is, only because almost nobody reliably segments networks. Once you're
internal, you've usually got everything within a few hops.

Whereas persisting onto an ASA sounds like an actually widely useful
capability! The ASAs don't get reimaged during incident response.

~~~
mschuster91
> Yeah I guess, but I think that scenario is way less common than you think it
> is, only because almost nobody reliably segments networks. Once you're
> internal, you've usually got everything within a few hops.

Indeed, yes, but entities large enough to afford dedicated teams to run
hundreds of pieces of Cisco gear with proper segmentation etc. usually also
tend to be those of most interest to any espionage outfit.

Last I heard, ex-employer switched from huge VLAN switches to dedicated,
unconnected switches for each network part after Snowden. Given the leak here,
I'd say their fear wasn't totally unjustified.

------
tptacek
Further supporting the hypothesis that these are implants (meant to persist
access gained through other vectors), not external or pivoting exploits, is
the fact that the other firewall exploits from the batch (for Fortinet
firewalls, for instance) target web management interfaces that also aren't
exposed on external interfaces.

------
molecule
the lede is @ the bottom of the announcement:

 _> Exploitation and Public Announcements_

 _> On August 15, 2016, Cisco was alerted to information posted online by the
Shadow Brokers group, which claimed to possess disclosures from the Equation
Group. The posted materials included exploits for firewall products from
multiple vendors. The Cisco products mentioned were the Cisco PIX and Cisco
ASA firewalls._

 _> Source_

 _> The exploit of this vulnerability was publicly disclosed by the alleged
Shadow Brokers group._

------
snowy
You would have to have the ASA configured to accept SNMP packets from the IP
your sending them from (or maybe spoof the source address if you knew it as it
would be a UDP packet) and you would also have to know the SNMP community
string.

Chances are if you had all of this info you could cause all sorts of damage
even without the vulnerability.

~~~
revelation
I'm not sure I follow, what you can do with the bits of information you named
when this vulnerability is not present?

In any case, the scenario for this exploit is that you have access (possibly
only restricted, no superuser) to an internet-facing machine and are looking
to expand your reach into the internal network. That's why they are keen to
exploit these Cisco boxes, they are a stepping stone to the wider network that
might be otherwise firewalled off and a pretty permanent one at that.

~~~
tptacek
Not really. As the preceding comment points out: it's pretty unusual for an
ASA to speak SNMP to the Internet. Not having SNMP publicly exposed is CISSP-
level (read: elementary, and idiosyncratically specific) best practice.

Rather, my (uninformed) guess is that this implant is exclusively used to
persist onto networks that have been compromised through some other vector.
It's not a pivot bug.

~~~
monkmartinez
Just a quick thought... what about all the monitoring software that relies on
SNMP?

~~~
tptacek
Not only is it all internal, but in modern networks SNMP is usually run on
specific dedicated backchannel networks, precisely because anyone who has done
network security since 1994 knows that SNMP is terribly insecure.

It may be a little less rigorous because ASAs are often prem boxes in
enterprise environments, not like tier 1 backbone components. But it might be
a little more rigorous because ASAs are firewalls.

~~~
monkmartinez
Just a quick google for: Remote grafana SNMP, Remote LibreNMS SNMP, Remote
Observium SNMP, etc. leads to all kinds of good stuff.

~~~
tptacek
I mean, you can literally just ask a site like Shodan to give you a list of
publicly available SNMP interfaces. Do you see a lot of what look like ASAs on
that list?

------
cwkoss
I wonder if Cisco has any legal basis for suing the NSA for
developing/allowing the leak of this software?

~~~
rdtsc
I like the idea in principle. But the answer is no. In general you can't sue
the US govt unless ... wait for it... US govt lets you sue it. Like say it
does for some form of tort.

------
oldsj
Am I missing something? This is like saying "remote code execution possible if
the attacker knows your ssh password"

~~~
jlgaddis
One case that immediately springs to mind is a network monitoring system
exposed to the Internet in order to provide a live "status" page, either for
the staff, users, or the public. That system would have SNMP access to the ASA
firewalls (which are otherwise normally well-protected).

Gaining access to that public host would then grant you RCE to the protected
internal firewall.

If the public host were hosted, say, at AWS/DO/etc., and used a VPN for access
to those internal network devices, you've just gained access to the internal
network itself.

(Note also that a) SNMP uses UDP and b) community strings, v1 and v2c at
least, are plain-text. SNMPv3 has a bit more protection but it's not as widely
used.)

~~~
therein
So what you're saying is it would be trivial for, say, a state actor to tap
into the fiber optic cables and snoop for this unencrypted community strings
going over UDP? And then to use them to gain access to internal networks?

Well fuck, NSA was inside pretty much any corporate network they wanted then.

~~~
jlgaddis
Pretty much. See previous disclosures discussing how the NSA captures, for
example, configuration files for Cisco devices passing over the Internet in
e-mail, TFTP, etc. If you've sent a community string over the Internet, it's
quite possible that they have it too.

------
Bino
Cisco is maintaining way to much property code, while laying off people. Wow,
that's a recipe for success...

~~~
Relys
The bit-rot struggle is real. XD

------
NKCSS
The link (
[https://tools.cisco.com/security/center/content/CiscoSecurit...](https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-
sa-20160817-asa-snmp)) hits as 404 right now...

HTTP Status 404 - /security/center/content/CiscoSecurityAdvisory/cisco-
sa-20160817-asa-snmp

type Status report

message /security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-
snmp

description The requested resource is not available.

Apache Tomcat/7.0.54

~~~
revelation
Cisco is running an old version of Apache Tomcat and the links on their
security pages are dead? Shocker!

They had so many good things to say about their security-mindedness in this
post, they even explained Pythons pexpect, and I can't imagine any parallel
universe where that somehow connects to the security of Cisco devices.

------
tomovo
Everybody's fired.

------
HammadB
I see, so this is why they laid off so many employees today.... :P

~~~
curiousgal
Yup, I mean since when doesn't correlation mean causation!

~~~
kevin_thibedeau
Netcraft would be able to confirm if only their Cisco gear wasn't pwned.

