Cisco has revealed about a serious vulnerability that the hackers have already exploited in the wild. As per their disclosure, the Cisco ASA and FTD security software have suffered a SIP inspection vulnerability that allows the attackers to crash the devices running these software. For now, no patches or workarounds are available for the bug, however, Cisco recommends some methods as possible mitigations.
SIP Inspection Vulnerability Targets Cisco Security Tools
Reportedly, Cisco has found a serious security flaw affecting its Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) security software. The vulnerability exists in the Session Initiation Protocol (SIP) inspection engine of these programs. As disclosed by Cisco, the vulnerability has already been exploited by hackers to target Cisco devices.
Describing the flaw in their advisory, Cisco stated,
A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.
The vulnerability exists due to improper SIP traffic handling. To trigger this bug, an attacker can send specially crafted SIP requests “at a high rate across an affected device”.
The Cisco team discovered this vulnerability while addressing a TAC support case. Hence they became aware of the exploitation of this bug by malefactors.
The vulnerability “Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability” (CVE-2018-15454) has received a CVSS base score of 8.6 with a high severity rating.
The CVE-2018-15454 vulnerability affects the devices running vulnerable ASA and FTD versions. These include Cisco ASA Software Release 9.4 and later releases, and Cisco FTD Software Release 6.0 and later. The bug becomes active when SIP inspection is enabled. This is true for both physical and virtual appliances. Affected Cisco products include:
- 3000 Series Industrial Security Appliance (ISA)
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- ASA 5500-X Series Next-Generation Firewalls
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
Presently, no patched update of the affected software or workaround is available for the bug. However, Cisco has suggested some ways to mitigate this vulnerability. This includes disabling the SIP inspection. However, it may break the SIP connections under certain conditions. Besides, users can block the traffic from an attacker’s IP address using the ACL (access control list) or by running the shun <ip_address> command in the EXEC mode.
Another possible mitigation for the flaw includes filtering the IP address 0.0.0.0 for the “sent-by address”, which Cisco has found to exist in case of most exploits. Moreover, users can also simply rate limit the SIP traffic via the Modular Policy Framework (MPF).
Let us know your thoughts in the comments section.