HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Have You Remediated the EXTRABACON Vulnerability in your Cisco ASA?

If you use a Cisco Adaptive Security Appliance (ASA) in your organization and have not patched the device to remediate the EXTRABACON vulnerability, the flaw could be exploited by hackers and used to steal ePHI.

On August 13, 2016, a group operating under the name Shadow Brokers released an exploit for EXTRABACON. The vulnerability affects a number of Cisco ASA network security devices and could potentially be used by hackers to gain full control of the devices. Should that happen, it would be possible for a hacker to decrypt VPN traffic, or access internal systems, including those used to store ePHI.

The EXTRABACON vulnerability affects versions 1, 2c, and 3 of the Simple Network Management Protocol (SNMP) in a number of Cisco devices including its ASA, ASAv, Firepower, and PIX Firewall products. The vulnerability could allow attackers to create a buffer overflow and run arbitrary code by sending specially crafted SNMP packets to an SNMP-enabled interface.

In order to exploit the EXTRABACON vulnerability, the attacker would need to have knowledge of a configured SNMP community string or a valid username and password. The exploit is relatively difficult to pull off, but the threat is very real. Security firm SilentSignal has reported that it has been able to modify the published exploit to attack any unpatched ASA device.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

An advisory has been released by Cisco and patched ASA firmware started to be released on August 15; however, organizations have been slow to apply the update and many devices are believed to still be vulnerable. According to security firm Rapid7, tens of thousands of Cisco ASAs remain unpatched. Many more devices could be vulnerable, but researchers at Rapid7 were unable to directly scan for the vulnerability as this would breach US laws.

However, the method used by Rapid7 suggested that at least 28,000 devices in the United States remain unpatched and could be vulnerable, including 20 devices used by a large U.S healthcare organization.

Rapid7 issued a statement saying “EXTRABACON is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy.” They suggested “it would be prudent for most organizations to deploy the patch as soon as they can obtain and test it.”

Cisco has confirmed that the devices susceptible to the EXTRABACON vulnerability are:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 4100 Series
  • Cisco Firepower 9300 ASA Security Module
  • Cisco Firepower Threat Defense Software
  • Cisco Firewall Services Module (FWSM)
  • Cisco Industrial Security Appliance 3000
  • Cisco PIX Firewalls

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.