Recently, Cisco officially released a security advisory to fix the denial-of-service (DoS) vulnerability (CVE-2018-15454) in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. This vulnerability exists in the Session Initiation Protocol (SIP) inspection engine used by Cisco ASA and FTD. An unauthorized attacker could exploit this vulnerability remotely to cause an affected device to reload or trigger a high CPU usage, causing a denial of service to the device.
Reference link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
Scope of Impact
This vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later if SIP inspection is enabled and the software runs on any of the following Cisco products:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
Cisco has confirmed that this vulnerability does not affect the following Cisco products:
- ASA 1000V Cloud Firewall
- ASA 5500 Series Adaptive Security Appliances
3.1 Version Check
Cisco ASA Software Release
The administrator can log in to the device and use the show version command in the CLI to determine which Cisco ASA Software release runs on the device, and based on this, check whether this device is affected by the vulnerability.
If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), the administrator can also determine the Cisco ASA Software release by referring to the release information in the table that appears in the Cisco ASDM log in the window or the Device Dashboard tab of the Cisco ASDM Home pane.
Cisco FTD Software Release
The administrator can log in to the device and use the show version command in the CLI to determine which Cisco FTD Software release runs on the device, and based on this, check whether this device is affected by the vulnerability.
Vulnerability Exploitation Check
The administrator can log in to the device and use the show conn port 5060 command in the CLI to determine whether this vulnerability is exploited on the device. If the output of this command shows a great number of incomplete SIP connections and the output of this show processes cpu-usage non-zero command shows a high CPU usage, the administrator can confirm the exploitation of this vulnerability (CVE-2018-15454).
If the device crashes and boots up again, you can use the following command to obtain the crash information and submit such information to Cisco to determine whether this device crash is related to exploitation of this vulnerability.
4.1 Disabling SIP Inspection
Disabling SIP inspection can prevent hazards caused by this vulnerability. You can run the following commands to disable SIP inspection respectively for Cisco ASA and FTD:
Note: Disabling SIP inspection will cause the SIP service to be disabled. Therefore, you must, in advance, verify that this disabling operation does not affect the operating of the normal service.
4.2 Blocking the Offensive Host
Users can use an access control list (ACL) to block traffic from a specific source IP address. After the ACL is applied, be sure to run the following command to clear existing connections for the source in the EXEC mode.
Also, users can block all packets from that source IP address by using this following command to shun the offensive host in EXEC mode. However, remember that this configuration will be lost upon reboot.
4.3 Detecting Sent-by Address of 0.0.0.0
The attack traffic is found to have the Sent-by address set to the invalid value of 0.0.0.0. The administrator should confirm whether such similar attack traffic exists in the network. Once threats are found, the administrator could apply following configurations to prevent the cash:
In FTD 6.2 or later, use Cisco Firepower Management Center (FMC) to add this configuration with the FlexConfig policy.
Restricting SIP Traffic
This vulnerability can be mitigated by setting a rate limit on SIP traffic using the Modular Policy Framework (MPF). For any assistance in implementing an MPF policy, please contact Cisco technical support.
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.