Local buffer overflow in CLI parser in Cisco ASA Appliances

Published: 2016-08-18
Severity Medium
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2016-6367
CWE ID CWE-119
Exploitation vector Local
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software Cisco ASA 5500 Subscribe
Cisco ASA 5500-X Series
Cisco PIX Firewall
Vendor Cisco Systems, Inc

Security Advisory

This security advisory describes one medium risk vulnerability.

1) CLI parser buffer overflow

Severity: Medium

CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C] [PCI]

CVE-ID: CVE-2016-6367

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Description

The vulnerability allows a local user to cause denial of service or execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the command-line interface (CLI) parser. A local authenticated user can trigger buffer overflow and reload the affected device or execute arbitrary code on the target system.

Successful exploitation of this vulnerability will allow a local user to execute arbitrary code on vulnerable system.

The following models of CISCO ASA appliances are affected:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

Note: this is a zero-day vulnerability, discovered after security breach of The Equation Group. The exploit code for this vulnerability was publicly exposed and is referred as EPICBANANA Exploit.

Mitigation

Update to Cisco ASA Software Releases 8.4.1 and later.

Vulnerable software versions

Cisco ASA 5500: 7.2(5), 8.0(5), 8.2(x), 8.3(x), 8.4(x)

Cisco ASA 5500-X Series: 8.6(x)

Cisco PIX Firewall: -

CPE External links

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-cli
https://blogs.cisco.com/security/shadow-brokers

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.