Extra Bacon? Yes please, even though the Cisco bug of this name is bad for you

Probably-NSA-sourced bug isn't being patched, even by UK government users


Tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit thought to have been cooked up by the United States National Security Agency (NSA).

The "Extra Bacon" exploit was one of many found as part of an Equation Group cache leaked by a hacking outfit calling itself the Shadow Brokers.

Equation Group is thought to be an offensive NSA Tailored Access Operations unit. The leaked exploits and the tools stolen by Shadow Brokers are thought to have come from a compromised command and control staging server.

Cisco has rushed out patches against the Extra Bacon exploit, while researchers extended the attack to compromise more modern ASA units.

Now Rapid 7 engineering duo Derek Abdine and Bob Rudis say tens of thousands of ASA boxes appear still to be exposed to the attack judging by the time of last reboot.

The pair scanned the 50,000 ASA devices Rapid 7 had previously catalogued to find the last time reboot times. About 12,000 refused to provide the information.

Some 10,000 of the 38,000 ASA devices had rebooted within the 15 days since Cisco released its patch, meaning about 28,000 were un-patched.

Those un-patched include four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.

Exploiting Extra Bacon while severe is complex and unreliable, and does not mean all un-patched vulnerable ASA boxes are at high risk. Attackers must reach vulnerable devices through UDP SNMP and know the SNMP community string, and have SSH access.

"Even though there's a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments," Abdine and Rudis say.

"Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it."

The pair caution those organisations which have considered the chance for exploitation to be low to fully understand their exposure. ®

Similar topics


Other stories you might like

  • It's the flu season – FluBot, that is: Surge of info-stealing Android malware detected

    And a bunch of bank-account-raiding trojans also identified

    FluBot, a family of Android malware, is circulating again via SMS messaging, according to authorities in Finland.

    The Nordic country's National Cyber Security Center (NCSC-FI) lately warned that scam messages written in Finnish are being sent in the hope that recipients will click the included link to a website that requests permission to install an application that's malicious.

    "The messages are written in Finnish," the NCSC-FI explained. "They are written without Scandinavian letters (å, ä and ö) and include, for example, the characters +, /, &, % and @ in illogical places in the text to make it more difficult for telecommunications operators to filter the messages. The theme of the text may be that the recipient has received a voicemail message or a message from their mobile operator."

    Continue reading
  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading

Biting the hand that feeds IT © 1998–2021