REWTERZ THREAT ADVISORY – CVE-2018-15454 – Cisco zero-day exploited to crash devices and cause Denial of Service

This is an advisory on a recent zero-day vulnerability of Cisco, that’s
being exploited in the wild to crash devices.

IMPACT: NORMAL

PUBLISH DATE: 02-11-2018

OVERVIEW

A zero-day vulnerability is found in the Session Initiation Protocol (SIP) inspection engine of Cisco’s ASA and TFD
software. The vendor released an advisory about the vulnerability being exploited in the wild. No software updates are available. However, Cisco has given out some mitigation guidelines.

ANALYSIS

A zero-day vulnerability has been found in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive
Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Exploiting the vulnerability, an unauthenticated, remote attacker can reload an affected device. The attacker can also cause a Denial of Service (DoS) condition by triggering high CPU.

Researchers found out that improper handling of SIP traffic causes the vulnerability. The vulnerability can be triggered by sending specially designed SIP requests to trigger this issue at a high rate across an affected device.
The vendor has released an advisory informing that the vulnerability has been exploited in the wild to crash and reload devices.

Because SIP inspection is enabled by default in all ASA and FTD software packages, a large number of Cisco devices are believed to be vulnerable.

No software updates are available that address this issue.

AFFECTED PRODUCTS

Cisco confirmed that the following products are affected if they run ASA 9.4 and later, or FTD 6.0 and later:

3000 Series Industrial Security Appliance (ISA)

ASA 5500-X Series Next-Generation Firewalls

ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Adaptive Security Virtual Appliance (ASAv)

Firepower 2100 Series Security Appliance

Firepower 4100 Series Security Appliance

Firepower 9300 ASA Security Module

FTD Virtual (FTDv)

MITIGATION

Cisco suggests that device owners should take some precautions to avoid getting their equipment crashed. These
mitigation techniques involve the following measures.

• Device owners are advised to disable SIP inspection.

• Once device owners track and identify an attacker’s IP address, they should block traffic from that IP address
using the ASA and FTD traffic filtering systems.

• Cisco claims that the malicious traffic associated with these attacks until now has used the 0.0.0.0 IP address for
the “Sent-by Address” field. Using this information, firms can easily filter an attacker’s incoming traffic.

If you think you are a victim of a cyber-attack. Immediately send an email to soc@rewterz.com for a quick response