Extra Bacon? Yes please, even though the Cisco bug of this name is bad for you

Tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit thought to have been cooked up by the United States National Security Agency (NSA).

The "Extra Bacon" exploit was one of many found as part of an Equation Group cache leaked by a hacking outfit calling itself the Shadow Brokers.

Equation Group is thought to be an offensive NSA Tailored Access Operations unit. The leaked exploits and the tools stolen by Shadow Brokers are thought to have come from a compromised command and control staging server.

Cisco has rushed out patches against the Extra Bacon exploit, while researchers extended the attack to compromise more modern ASA units.

Now Rapid 7 engineering duo Derek Abdine and Bob Rudis say tens of thousands of ASA boxes appear still to be exposed to the attack judging by the time of last reboot.

The pair scanned the 50,000 ASA devices Rapid 7 had previously catalogued to find the last time reboot times. About 12,000 refused to provide the information.

Some 10,000 of the 38,000 ASA devices had rebooted within the 15 days since Cisco released its patch, meaning about 28,000 were un-patched.

Those un-patched include four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.

Exploiting Extra Bacon while severe is complex and unreliable, and does not mean all un-patched vulnerable ASA boxes are at high risk. Attackers must reach vulnerable devices through UDP SNMP and know the SNMP community string, and have SSH access.

"Even though there's a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments," Abdine and Rudis say.

"Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it."

The pair caution those organisations which have considered the chance for exploitation to be low to fully understand their exposure. ®