Cisco security appliances under attack, still no patch available

A vulnerability (CVE-2018-15454) affecting a slew Cisco security appliances, modules and firewalls is being exploited in the wild to crash and reload the devices, the company has warned on Thursday.

CVE-2018-15454

About CVE-2018-15454

The vulnerability is in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, and allows unauthenticated, remote attackers to cause an affected device to reload or trigger high CPU, resulting in a DoS condition.

“The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device,” Cisco explained.

The list of affected products is considerable:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv).

These devices are vulnerable if they run Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and if they have SIP enabled (it’s enabled in the default configuration).

What to do?

Unfortunately, Cisco has yet to provide security updates that would plug the hole and there are no workarounds that could address it.

Until fixes are provided, administrators can either disable SIP inspection, block traffic from the attack source IP address or, if they confirm that the offending traffic shows the same pattern discovered by Cisco, they can filter the attack traffic. More details about implementing these mitigation can be found in Cisco’s advisory.

“While the vulnerability described in this advisory is being actively exploited, the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization,” Cisco explained.

“Successful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread. Customer should reach out to Cisco TAC with this information to determine whether the particular crash was related to exploitation of this vulnerability.”

Don't miss