Connect with us

Hacker News Vulnerability

Attackers are Exploiting A Vulnerability To Restart Cisco Security Apps

Hacker News Malware

Emotet Malware Makes a Comeback with Fresh Attacks After Three Months of Silence

Hacker News Vulnerability

Lazarus Group Found Exploiting Zero-Day Vulnerabilities in Latest Cyber Attack

Hacker News

Chinese hackers develop new custom backdoor to evade detection

Hacker News

Hackers are exploiting vulnerabilities in containerized environments

Hacker News

Play Ransomware Group Brags About Disruptive Attack on City of Oakland

Hacker News

Chinese State-Sponsored Hacking Group APT31 Targets European Organizations

Hacker News Vulnerability

Researchers Uncover New Security Vulnerabilities in TPM 2.0 Library

Data Breaches Hacker News

Dark Web Marketplace Bidencash Leaks 2 Million Stolen Credit Cards for Free

Hacker News

White Hat Hacking Does Pay: Pwn2Own Shells Out 980,000 in Rewards

Hacker News

Attackers are Exploiting A Vulnerability To Restart Cisco Security Apps

Published

5 years ago

on

Attackers are Exploiting A Vulnerability To Restart Cisco Security Apps

Cisco has discovered a vulnerability that allows restarts on their security hardware products, essentially returning a state of a denial-of-service (DoS) . They have confirmed that the vulnerability is being actively exploited by attackers. The identity of these attackers is yet unknown.

The vulnerability

The vulnerability (CVE-2018-15454) can be exploited remotely, so the attackers could be executing this attack from anywhere in the world. The bug works by exploiting the Session Initiation Protocol (SIP) inspection engine that is switched on by default within their security and threat defence software.

If the attackers are not successful in achieving the reboot, the high CPU will cause the device to slow dramatically, rendering it unable to perform regular tasks.

Pre-fix Workarounds

Cisco has not released a fix for the vulnerability, although they are likely working on one. However, they have released details of workarounds to prevent attacks. One obvious fix they suggest is turning off the SIP inspection because the exploit relies on this to work, however, this isn’t a viable option for most companies.

Other options include blocking the attackers IP addresses by updating the access control list (ACL), however, this may be time-consuming if the attackers continually update their IP addresses; a second option is using the “Sent-by-Address” header which is set to an invalid value to catch the attacks before they shut down the security software. Lastly, users can implement a rate limit on SIP traffic to stop the attack in its tracks. Cisco recommends users adopt one of the above mitigations while waiting for a fix.

The products below running ASA 9.4 and above, and FTD 6.0 and later, are affected:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

 

Related Topics:

Technology Enthusiast with a keen eye on the Cyberspace, Entrepreneur, Ethical Hacker

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *