Cisco Security Appliance Zero-Day Found Actively Exploited in the Wild

Attackers are actively exploiting a zero-day vulnerability in certain Cisco security products, to cause a denial-of-service (DoS) condition.

The as-yet-unpatched flaw (CVE-2018-15454) has an 8.6 CVSS score and is rated high-severity. It exists in the Session Initiation Protocol (SIP) inspection engine of Cisco’s Adaptive Security Appliance (ASA) software, and in the Cisco Firepower Threat Defense (FTD) software. It allows an unauthenticated, remote attacker to cause an affected device to reload, or it could trigger high CPU usage – both resulting in a DoS state.

DoS states in security appliances are, of course, a positive development if you’re a cyberattacker looking to penetrate enterprise networks. This essentially takes out the guards ahead of storming the castle.

According to an advisory from the networking giant, the vulnerability is due to “improper handling of SIP traffic.” SIP is a networking protocol used to carry IP traffic across local-area and wide-area networks – mostly for voice, video and messaging applications but also hardware-appliance traffic. SIP inspection meanwhile provides address translation in message headers and bodies, the dynamic opening of ports, and supports application security and protocol conformance. In other words, it carries out a cornucopia of real-time tasks.

The problem is that unusually high volumes of traffic can essentially fluster the inspection engine by giving it too much to do. Thus, an attacker could exploit this vulnerability by sending high rates of SIP requests specifically designed to overwhelm an affected device and take it offline.

Cisco said that it has seen campaigns in the wild leveraging the flaw, and offered advice for determining if one’s network is under attack. During a campaign, “the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization,” it explained. “Successful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread.”

The vulnerability affects Cisco ASA Software Release 9.4 (and later) and Cisco FTD Software Release 6.0 (and later) if SIP inspection is enabled (which is the default state). Any the following Cisco products running the software are vulnerable: The 3000 Series Industrial Security Appliance (ISA); ASA 5500-X Series Next-Generation Firewalls; ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers; Adaptive Security Virtual Appliance (ASAv); Firepower 2100 and 4100 Series Security Appliances; Firepower 9300 ASA Security Module; and FTD Virtual (FTDv).

Cisco said that a patch is forthcoming, but didn’t specify when – and there are also no known workarounds. Fortunately, businesses can take action via a handful of mitigations in the meantime.

These include disabling SIP inspection completely, which will automatically close the attack vector. However, this would break SIP connections in a number of cases, such as when network address traversal is required, or if not all ports required for SIP communication are opened, according to Cisco.

If disabling the engine altogether is not appropriate, businesses also can block traffic from the specific source IP address that appears to be sending the offending traffic, using an access control list (ACL). Alternatively, the offending host can be shunned using the shun <ip_address> command in EXEC mode, thus blocking all packets from that source IP without the need for a configuration change. However, it should be noted that Cisco said that an attacker could exploit the vulnerability using spoofed IP packets, so it’s not always possible to pinpoint the source.

A third option has to do with address filtering. “In observed cases, the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0,” Cisco explained. If an administrator confirms that the offending traffic shows the same pattern, he or she can reconfigure the appliance to block the address.

The vulnerability can also be mitigated by implementing a rate limit on SIP traffic, using the Modular Policy Framework (MPF). This will place a threshold on the amount of tasks the inspection engine is asked to perform.