Security experts from CISCO warn of a zero-day vulnerability that is being actively exploited in attacks in the wild.
The flaw, tracked as CVE-2018-15454, affects the Session Initiation Protocol (SIP) inspection engine of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD). The flaw could be exploited by a remote attacker to trigger a DoS condition on the vulnerable device.
“A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.” reads the security advisory published by Cisco.
“The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.”
Experts from Cisco discovered the vulnerability while resolving a Cisco TAC support case.
The following products running ASA 9.4 and above, and FTD 6.0 and later, are affected by the vulnerability:
3000 Series Industrial Security Appliance (ISA)
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
At the time of the disclosure, there is no software update that addresses the flaw, anyway, the company provided several mitigation options.
A possible mitigation consists in disabling the SIP inspection, but this solution is not feasible in many cases because it could interrupt SIP connections.
To disable SIP inspection, configure the following:
policy-map global_policy class inspection_defaultno inspect sip
FTD Software Releases
configure inspection sip disable
Another option is to block the hosts by using an access control list (ACL) or in an alternative offending host can be shunned using the shun <ip_address> command in EXEC mode. In this latter case, users have to consider that shunning does not persist across reboot.
Cisco also suggests filtering on traffic having ‘Sent-by Address’ header set to 0.0.0.0 that is associated with bad packets that could crash the security appliance.
Last mitigation provided by the tech giant is to implement a rate limit on the SIP traffic via the Modular Policy Framework (MPF).
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.