A recently discovered vulnerability in the Session Initiation Protocol (SIP) inspection engine associated with Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software can allow an unauthenticated, remote attackers to cause an affected device to reload or trigger high CPU utilization, resulting in a denial of service (DoS) incident.
The Masergy Threat Intelligence is not aware of proof-of-concept exploits being publicly posted however there are reports of this vulnerability being actively exploited.
- CVE-2018-15454 – Cisco ASA and Firepower SIP Denial of Service vulnerability
The vulnerability affects Cisco ASA Software Release 9.4 and later, and Cisco FTD Software 6.0 and later.
If those Software versions are installed and SIP inspections are enabled, the following devices are affected:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
CVE-2018-15454 is caused by a flaw in the SIP request parsing code used in the SIP inspection feature on Cisco ASA and FTD devices. By sending crafted packets at high rates, an attacker could cause high CPU usage or crashes in the targeted device.
At this time, there are no workarounds that address this vulnerability, but Cisco has provided mitigation guidance:
- Disable SIP inspection
- Block the offending host(s)
- Filter on Sent-by address of 0.0.0.0
- Rate Limit SIP Traffic using the Modular Policy Framework (MPF)
Affected users should also monitor the Cisco advisory for update announcements so patches can be applied once they are available.
Indicators of Compromise
According to Cisco, when the vulnerability is being leveraged by the attacker, the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization.
In the cases observed by Cisco, the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0. If one of your devices is affected by a large count of incomplete SIP connections, an administrator can run a packet capture to determine if the packets have the Sent-by Address value set to 0.0.0.0 to confirm possible compromise.
Successful exploitation can also cause the affected device to crash and reload. After the device reboots, the output of show crashinfo will show an unknown abort of the DATAPATH threat. If you have an affected device crash with that output, it is advised you reach out to Cisco TAC with that information to determine if the crash is related to the exploitation of this vulnerability.
The Masergy Threat Intelligence Team has deployed the following signature(s) across all customers on our Unified Enterprise Security (UES) platform to detect the exploitation of this vulnerability:
EXP:CVE-2018-15454 — A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device. Software updates that address this vulnerability are not yet available.