CISCO warn of a zero-day DoS flaw that is being actively exploited in attacks

Pierluigi Paganini November 02, 2018

Security experts from CISCO warn of a zero-day vulnerability that is being actively exploited in attacks in the wild.

The flaw, tracked as CVE-2018-15454, affects the Session Initiation Protocol (SIP) inspection engine of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD). The flaw could be exploited by a remote attacker to trigger a DoS condition on the vulnerable device.

“A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.” reads the security advisory published by Cisco.

“The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.”

Experts from Cisco discovered the vulnerability while resolving a Cisco TAC support case.

The following products running ASA 9.4 and above, and FTD 6.0 and later, are affected by the vulnerability:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

CISCO NX-OS Software

At the time of the disclosure, there is no software update that addresses the flaw, anyway, the company provided several mitigation options.

A possible mitigation consists in disabling the SIP inspection, but this solution is not feasible in many cases because it could interrupt SIP connections.

To disable SIP inspection, configure the following:

  • ASA Software 
    policy-map global_policy
     class inspection_default
      no inspect sip
  • FTD Software Releases
    configure inspection sip disable

Another option is to block the hosts by using an access control list (ACL) or in an alternative offending host can be shunned using the shun <ip_address> command in EXEC mode. In this latter case, users have to consider that shunning does not persist across reboot.

Cisco also suggests filtering on traffic having ‘Sent-by Address’ header set to 0.0.0.0 that is associated with bad packets that could crash the security appliance.

Last mitigation provided by the tech giant is to implement a rate limit on the SIP traffic via the Modular Policy Framework (MPF).

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – DoS, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment