Unknown attackers have exploited a vulnerability in software running on security hardware products from Cisco. The bug could trigger a restart of the affected devices, the equivalent of a denial-of-service (DoS) condition.

Cisco discovered the problem while addressing a support case and is aware of active exploitation taking place.

Remote attack, no authentication needed

The vulnerability, identified as CVE-2018-15454, is present in the Session Initiation Protocol (SIP) inspection engine turned on by default in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

    If crashing and rebooting the appliance is not achieved, the effect of the leveraging the vulnerability is high CPU usage, slowing the device down and delaying it from dealing with tasks at hand.

    According to a security advisory from Cisco, the bug can be exploited remotely and does not require authentication. 

    "The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device," reads the advisory.

    Multiple mitigation possibilities

    At the moment there is no software update that fixes the problem, but several mitigation options exist.

    One solution is to disable SIP inspection, but this is not feasible in many cases, as it could break SIP connections.

    Another option is to block the traffic from the offending IP addresses by using an access control list (ACL); or to use the 'shun' command in EXEC mode to stop the packets from the attacker's IP - this is not a persistent method, as is modifying the ACL, though

    Cisco noticed that the offending traffic has the 'Sent-by Address' header set to 0.0.0.0, an invalid value. Admins could use this pattern to identify the bad packets and prevent crashing of the security appliance.

    Last on the list of mitigation options is to implement a rate limit on the SIP traffic via the Modular Policy Framework (MPF).

    Until a software update with a fix to CVE-2018-15454 emerges, customers are advised to adopt one of the above mitigation solutions.

    The following eight products running ASA 9.4 and above, and FTD 6.0 and later, are affected:

    • 3000 Series Industrial Security Appliance (ISA)
    • ASA 5500-X Series Next-Generation Firewalls
    • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
    • Adaptive Security Virtual Appliance (ASAv)
    • Firepower 2100 Series Security Appliance
    • Firepower 4100 Series Security Appliance
    • Firepower 9300 ASA Security Module
    • FTD Virtual (FTDv)

    Related Articles:

    Over 80 Cisco Products Affected by FragmentSmack DoS Bug

    VirtualBox Zero-Day Vulnerability Details and Exploit Are Publicly Available

    Security Bug in Icecast Puts Online Radio Stations At Risk

    New Microsoft Edge Browser Zero-Day RCE Exploit in the Works

    Unusual Remote Execution Bug in Cisco WebEx Discovered by Researchers