Executive Summary: Cisco (ASA) software and Firepower Threat Defence (FTD) have found a zero-day vulnerability correlated with Session Initiation Protocol (SIP) inspection engine. This vulnerability could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a Denial of Service (DoS) attack. This bug has been abused in the wild however only a limited number of attacks are known.
SIP inspection is enabled by default in both ASA and FTD software, therefore the vulnerability will trigger when SIP traffic is handled improperly. More importantly an attacker can leverage this bug by sending SIP requests which are specifically designed to trigger this issue at a high rate across an affected device. However, there are few Indicators of Compromises (IOCs) that can be observed by looking into large number of incomplete SIP connections. This can be seen by using the output show conn port 5060 and the output of show processes cpu-usage non-zero sorted which will show a high CPU utilization.
This vulnerability has been assigned the reference CVE-2018-15454.
Detect: To determine and check the version of the Cisco ASA and FTD products, issue the following command from CLI:
ciscoasa# show version | include Version
To determine which version of Cisco FTD software is currently running, users with administrative access can issue the command show version from the command line.
Affected Products: The vulnerability affects Cisco ASA software release 9.4 and later and Cisco FTD software release 6.0 and later if SIP inspection is enabled and the software is running on any of the following:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
In addition, there is confirmation that the following Cisco products are not affected:
- ASA 1000V Cloud Firewall
- ASA 5500 Series Adaptive Security Appliances (ASA)
Prevent: There is no update released by the vendor at this time, but there are few mitigation options available that should be carefully implemented to suit the network desires.
- Disable SIP inspection. Customers can block the source IP address seen in the connection table by using and applying Access Control List (ACL) clear conn address <ip_address> command in EXEC mode.
- Block the source/attacker’s IP address traffic.
- Filter on Sent-by Address of 0.0.0.0, malicious traffic that has been observed in attacks until now has also used the 0.0.0.0 IP address for the “Sent-by Address” field, which also makes it easy for companies to filter an attacker’s incoming traffic.
React: Customers should wait for updates released by vendors.