CISCO warn of a zero-day DoS flaw that is being actively exploited in attacks
3.11.18 securityaffairs
Attack  Vulnerebility

Security experts from CISCO warn of a zero-day vulnerability that is being actively exploited in attacks in the wild.
The flaw, tracked as CVE-18-15454, affects the Session Initiation Protocol (SIP) inspection engine of Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD). The flaw could be exploited by a remote attacker to trigger a DoS condition on the vulnerable device.

“A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.” reads the security advisory published by Cisco.

“The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.”

Experts from Cisco discovered the vulnerability while resolving a Cisco TAC support case.

The following products running ASA 9.4 and above, and FTD 6.0 and later, are affected by the vulnerability:

3000 Series Industrial Security Appliance (ISA)
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
CISCO NX-OS Software

At the time of the disclosure, there is no software update that addresses the flaw, anyway, the company provided several mitigation options.

A possible mitigation consists in disabling the SIP inspection, but this solution is not feasible in many cases because it could interrupt SIP connections.

To disable SIP inspection, configure the following:

ASA Software
policy-map global_policy
class inspection_default
no inspect sip
FTD Software Releases
configure inspection sip disable
Another option is to block the hosts by using an access control list (ACL) or in an alternative offending host can be shunned using the shun <ip_address> command in EXEC mode. In this latter case, users have to consider that shunning does not persist across reboot.

Cisco also suggests filtering on traffic having ‘Sent-by Address’ header set to 0.0.0.0 that is associated with bad packets that could crash the security appliance.

Last mitigation provided by the tech giant is to implement a rate limit on the SIP traffic via the Modular Policy Framework (MPF).