CVE-2016-6367

What Is Cisco ASA?

Cisco Adaptive Security Appliance (ASA) is the enterprise network firewall platform deployed at the perimeter of thousands of large enterprises, government networks, and service providers. ASA provides firewall, VPN termination, and network access control. Firewall appliances are high-value targets because compromising them provides persistent, privileged access to all traffic traversing the network perimeter.

ASA devices are managed via a command-line interface (CLI) — accessible via SSH, Telnet, or the serial console — that accepts configuration commands. The CLI parser is a critical code component that processes all administrative input.

Overview

CVE-2016-6367 is a vulnerability in Cisco ASA's command-line interface (CLI) parser that could allow an authenticated local attacker to create a denial-of-service condition or potentially execute code. Unlike the companion CVE-2016-6366 (ExtraBacon SNMP RCE), CVE-2016-6367 requires authentication — an existing CLI-level ASA account. CVE-2016-6367 functions as a post-authentication privilege escalation or code execution vector, particularly relevant when an attacker has obtained limited CLI access (operator-level) and seeks to escalate to full system control. Patched in the same Cisco advisory as CVE-2016-6366 (August 17, 2016). CISA added CVE-2016-6367 to the KEV catalog in May 2022.

Affected Versions

Consult Cisco's security advisory cisco-sa-20160817-asa-snmp for the complete software version matrix and minimum patched versions for each hardware platform.

Technical Details

Root Cause: CLI Parser Buffer Overflow / Command Injection

CVE-2016-6367 is a vulnerability (CWE-77) in the Cisco ASA CLI parsing engine. The ASA CLI accepts configuration and operational commands through administrative sessions. Certain CLI commands or input sequences contain insufficient bounds checking or input sanitization in the parsing code, allowing:

• Buffer overflow — an oversized or malformed CLI input causes a stack or heap buffer overflow in the CLI parser, potentially enabling code execution
• DoS condition — the overflow causes an unhandled exception, crashing the CLI process or triggering a device reload
• Privilege escalation — if the ASA CLI has tiered privilege levels (operator vs. enable-mode vs. system), a vulnerability in the parser may allow operator-level access to trigger actions that require higher privilege

Attack prerequisites:

• An authenticated CLI session on the ASA (via SSH, Telnet, or console)
• Attacker must have some level of CLI access — either stolen credentials, a service account compromise, or access to a management network with connectivity to the ASA management interface

Relationship to ExtraBacon (CVE-2016-6366)

CVE-2016-6367 is addressed in the same Cisco advisory as CVE-2016-6366 (ExtraBacon SNMP RCE). The expected exploitation pattern pairs these vulnerabilities:

1. CVE-2016-6366 (ExtraBacon) — remote, low-credential exploitation via SNMP to achieve initial access to the ASA
2. CVE-2016-6367 — post-authentication escalation within the CLI to achieve more persistent or privileged control

Attack Characteristics

Discovery

Identified by Cisco security engineering during the investigation triggered by the Shadow Brokers ExtraBacon disclosure; patched in the same advisory as CVE-2016-6366 on August 17, 2016.

Exploitation Context

• Post-compromise tool: CVE-2016-6367 is most useful as a second-stage tool after an attacker gains initial CLI access to a Cisco ASA through credential theft, CVE-2016-6366 exploitation, or other means; it provides a mechanism to deepen or persist access once inside the management plane
• Credential theft from management networks: Organizations with ASA management interfaces accessible from compromised internal systems are vulnerable to CVE-2016-6367 via stolen service account credentials
• Shadow Brokers context: The Shadow Brokers disclosure that revealed CVE-2016-6366 prompted Cisco to audit related ASA code, identifying CVE-2016-6367 in the same audit cycle; this dual disclosure reflects systematic vulnerability research in ASA's management code
• Firewall security monitoring: Intrusion detection systems typically do not monitor firewall management interfaces; CVE-2016-6367 exploitation is unlikely to be detected through normal network monitoring
• CISA KEV (2022): Added May 2022 alongside CVE-2016-6366

Remediation

1. Apply cisco-sa-20160817-asa-snmp patches — upgrade ASA software to the patched version per the advisory for your hardware platform; this addresses both CVE-2016-6366 and CVE-2016-6367.

2. Restrict CLI access — limit SSH access to the ASA management interface to authorized IP addresses only using ACLs; the ASA management interface should never be internet-accessible.

3. Use strong authentication for CLI access — implement TACACS+ or RADIUS authentication for ASA CLI access with multi-factor authentication; minimize the number of accounts with CLI access.

4. Apply principle of least privilege to CLI roles — use ASA privilege levels to grant the minimum required access to each administrator; regular operator accounts should not have enable-mode access.

5. Monitor CLI authentication and session logs — configure ASA to send all CLI authentication events and session logs to a SIEM; unexpected authentication or sessions from unusual source IPs may indicate compromise.