CVE-2016-6367
Published: 18 August 2016
Summary
CVE-2016-6367 is a high-severity Command Injection (CWE-77) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 4.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2016-6367 is a command injection vulnerability (CWE-77) in Cisco Adaptive Security Appliance (ASA) Software versions prior to 8.4(1) running on ASA 5500, ASA 5500-X, PIX, and FWSM devices. The flaw, tracked as Bug ID CSCtu74257 and also known as EPICBANANA, permits local users to escalate privileges by submitting specially crafted invalid CLI commands.
A local attacker with low-privileged CLI access can exploit the issue without user interaction to obtain elevated privileges, resulting in full control over confidentiality, integrity, and availability of the affected device. The CVSS 3.1 base score of 7.8 reflects the high impact combined with local attack vector and low attack complexity.
Cisco's security advisory cisco-sa-20160817-asa-cli and related notices direct administrators to upgrade to fixed releases and reference additional context from the Shadow Brokers disclosures. The vulnerability was publicly associated with the 2016 Shadow Brokers leak of NSA-linked exploit tools.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-7290
Vulnerability details
Cisco Adaptive Security Appliance (ASA) Software before 8.4(1) on ASA 5500, ASA 5500-X, PIX, and FWSM devices allows local users to gain privileges via invalid CLI commands, aka Bug ID CSCtu74257 or EPICBANANA.
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the invalid CLI command injection (CWE-77) that EPICBANANA uses to bypass privilege checks.
Requires prompt patching of ASA software to the fixed release that eliminates the CSCtu74257 flaw.
Limits initial CLI privileges so a successful exploit yields less device control than an unrestricted account.