A vulnerability in software operating on Cisco’s security devices have been exploited by unknown hackers. The bug can initiate a reboot of the affected devices, which is equivalent to the denial-of-service (DoS) condition.
The issue has been discovered by Cisco while addressing a support case and is conscious of active exploitation that happens.
Remote attack, no authentication needed
The vulnerability dubbed as CVE-2018-15454, exists in the Session Initiation Protocol (SIP) inspection engine turned on by default in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.
If it is not possible to crash or reboot the device then the result of holding the vulnerability is high CPU usage, slowing the device down and delay in doing the tasks at hand.
According to a security advisory from Cisco, the bug could be exploited remotely and needs no authentication. This flaw occurs due to improper handling of SIP traffic. A hacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.
Multiple mitigation possibilities
As of now there is no software update to fix the issue but there are numerous mitigation options.
One method is to disable SIP inspection, but this is not practicable in many cases, as it could break SIP connections.
Another solution is to block the traffic from the offending IP addresses by using an access control list (ACL); or to use the ‘shun’ command in EXEC mode to stop the packets from the attacker’s IP. However, this is not a persistent method.
The offending traffic has the ‘Sent-by Address’ header set to 0.0.0.0 which is an invalid value. It is possible to identify the bad packets by checking the pattern and prevent crashing of the security appliance.
A last option is to implement a rate limit on the SIP traffic through a Modular Policy Framework (MPF).
Since there is no software update to fix the flaw CVE-2018-15454, the customers are advised to follow any of the above mitigation solutions.
The following eight products running ASA 9.4 and above, and FTD 6.0 and later, are affected:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)