Cisco Security Advisory
Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability
High
Advisory ID:
cisco-sa-20160817-asa-snmp
First Published:
2016 August 17 18:45 GMT
Last Updated:
2016 August 17 21:13 GMT
Version 1.1:
Interim
Workarounds:
Cisco Bug IDs:
CVE-2016-6366
CVSS Score:
Base 8.5,
Temporal 8.1
Click Icon to Copy Verbose Score
AV:N/AC:M/Au:S/C:C/I:C/A:C/E:H/RL:W/RC:C
AV:N/AC:M/Au:S/C:C/I:C/A:C/E:H/RL:W/RC:C
CVE-2016-6366
-
A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.
The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.
Note: Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode only and in single or multiple context mode. This vulnerability can be triggered by IPv4 traffic only.
Cisco has not released software updates that address this vulnerability. There are workarounds that address this vulnerability.
This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
-
Vulnerable Products
Affected Cisco ASA Software running on the following products may be affected by this vulnerability:
- Cisco ASA 5500 Series Adaptive Security Appliances
- Cisco ASA 5500-X Series Next-Generation Firewalls
- Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Cisco ASA 1000V Cloud Firewall
- Cisco Adaptive Security Virtual Appliance (ASAv)
- Cisco Firepower 9300 ASA Security Module
- Cisco PIX Firewalls
- Cisco Firewall Services Module (FWSM)
Products Confirmed Not Vulnerable
No other Cisco products are currently known to be affected by this vulnerability.
-
Administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the snmp-server host command.
The SNMP chapter of the Cisco ASA Series General Operations CLI Configuration Guide explains how SNMP is configured in the Cisco ASA.
The attacker must know the community strings to successfully launch an attack against an affected device. Community strings are passwords that are applied to an ASA device to restrict both read-only and read-write access to the SNMP data on the device. These community strings, as with all passwords, should be carefully chosen to ensure they are not trivial. Community strings should be changed at regular intervals and in accordance with network security policies. For example, the strings should be changed when a network administrator changes roles or leaves the company.
-
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Fixed Releases
All Cisco ASA releases are affected. Cisco is working on fixes for supported releases.
-
On August 15, 2016, Cisco was alerted to information posted online by the Shadow Brokers group, which claimed to possess disclosures from the Equation Group. The posted materials included exploits for firewall products from multiple vendors. The Cisco products mentioned were the Cisco PIX and Cisco ASA firewalls.
-
The exploit of this vulnerability was publicly disclosed by the alleged Shadow Brokers group.
-
To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
-
Show LessVersion Description Section Status Date 1.1 Cisco has not released software updates that address this vulnerability. Summary Interim 2016-August-17 1.0 Initial public release. — Interim 2016-August-17
-
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. CISCO EXPECTS TO UPDATE THIS DOCUMENT AS NEW INFORMATION BECOMES AVAILABLE.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products.