Cisco has discovered a vulnerability that allows restarts on their security hardware products, essentially returning a state of a denial-of-service (DoS) . They have confirmed that the vulnerability is being actively exploited by attackers. The identity of these attackers is yet unknown.
The vulnerability (CVE-2018-15454) can be exploited remotely, so the attackers could be executing this attack from anywhere in the world. The bug works by exploiting the Session Initiation Protocol (SIP) inspection engine that is switched on by default within their security and threat defence software.
If the attackers are not successful in achieving the reboot, the high CPU will cause the device to slow dramatically, rendering it unable to perform regular tasks.
Cisco has not released a fix for the vulnerability, although they are likely working on one. However, they have released details of workarounds to prevent attacks. One obvious fix they suggest is turning off the SIP inspection because the exploit relies on this to work, however, this isn’t a viable option for most companies.
Other options include blocking the attackers IP addresses by updating the access control list (ACL), however, this may be time-consuming if the attackers continually update their IP addresses; a second option is using the “Sent-by-Address” header which is set to an invalid value to catch the attacks before they shut down the security software. Lastly, users can implement a rate limit on SIP traffic to stop the attack in its tracks. Cisco recommends users adopt one of the above mitigations while waiting for a fix.
The products below running ASA 9.4 and above, and FTD 6.0 and later, are affected:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)