This is an advisory on a recent zero-day vulnerability of Cisco, that’s
being exploited in the wild to crash devices.
PUBLISH DATE: 02-11-2018
A zero-day vulnerability is found in the Session Initiation Protocol (SIP) inspection engine of Cisco’s ASA and TFD
software. The vendor released an advisory about the vulnerability being exploited in the wild. No software updates are available. However, Cisco has given out some mitigation guidelines.
A zero-day vulnerability has been found in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive
Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Exploiting the vulnerability, an unauthenticated, remote attacker can reload an affected device. The attacker can also cause a Denial of Service (DoS) condition by triggering high CPU.
Researchers found out that improper handling of SIP traffic causes the vulnerability. The vulnerability can be triggered by sending specially designed SIP requests to trigger this issue at a high rate across an affected device.
The vendor has released an advisory informing that the vulnerability has been exploited in the wild to crash and reload devices.
Because SIP inspection is enabled by default in all ASA and FTD software packages, a large number of Cisco devices are believed to be vulnerable.
No software updates are available that address this issue.
Cisco confirmed that the following products are affected if they run ASA 9.4 and later, or FTD 6.0 and later:
3000 Series Industrial Security Appliance (ISA)
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
Cisco suggests that device owners should take some precautions to avoid getting their equipment crashed. These
mitigation techniques involve the following measures.
• Device owners are advised to disable SIP inspection.
• Once device owners track and identify an attacker’s IP address, they should block traffic from that IP address
using the ASA and FTD traffic filtering systems.
• Cisco claims that the malicious traffic associated with these attacks until now has used the 0.0.0.0 IP address for
the “Sent-by Address” field. Using this information, firms can easily filter an attacker’s incoming traffic.
If you think you are a victim of a cyber-attack. Immediately send an email to firstname.lastname@example.org for a quick response