Pierluigi Paganini August 24, 2016

Security experts have improved the ExtraBacon exploit included in the NSA Equation Group arsenal to hack newer version of CISCO ASA appliance.

The data dump leaked online by ShadowBrokers is a treasure for security experts and hackers that are analyzing every tool it contains.

Cisco and Fortinet have confirmed their network appliance are vulnerable to the exploits listed in the leaked dump.

Recently security researchers tested the BENIGNCERTAIN tool included in the precious archive belonging to the NSA Equation Group that allows attackers to extract VPN passwords from certain Cisco devices.

Now the Hungary-based security consultancy SilentSignal has focused his analysis on another exploit that could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA).

We successfully ported EXTRABACON to ASA 9.2(4) #ShadowBrokers #Cisco pic.twitter.com/UPG6yq9Km2

— SilentSignal (@SilentSignalHU) 23 agosto 2016

The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought.

Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).

An attacker who has already gained a foothold in a targeted network could use the zero-day exploit to take full control of a firewall.

In an e-mail sent to ArsTechnica, SilentSignal researcher Balint Varga-Perke wrote:

“We first started to work on the exploit mainly to see how easy it would be to add support for other (newer) versions. Turns out it is very easy, that implies two things:

• The leaked code is not as poor quality as some might suggest
• The lack of exploit mitigation techniques in the target Cisco software makes the life of attackers very easy”

Experts from the IT vendor Juniper also confirmed that one of the exploits in the Equation Group archive could be used to hack the Juniper NetScreen firewalls, they also confirmed that are conduction further investigation on the exploit.

The tool codenamed FEEDTROUGH and ZESTYLEAK could be used by attackers to target Juniper Netscreen firewalls, the company is investigating their efficiency.

“As part of our analysis of these (Equation Group) files, we identified an attack against NetScreen devices running ScreenOS,” explained the company incident response director Derrick Scholl.

“We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.”

“We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CISCO ASA, ExtraBacon exploit)