Cisco provided some mitigations for the high severity SIP vulnerability (CVE-2018-15454) exploit that impacts multiple Cisco products.
As we reported on Thursday, Cisco had released a security advisory for a high severity zero-day vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco’s Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. If exploited, the impact could lead to a denial of service of the affected system or service.
Although there are still no new patches available, Cisco did provide some short term mitigations that could be applied. Four options were made available by Cisco as described in the updated advisory on Friday.
Option 1: Disable SIP Inspection
“Disabling SIP inspection will completely close the attack vector for this vulnerability. However, it may not be suitable for all customers. In particular, disabling SIP inspection would break SIP connections if either NAT is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL.”
Option 2: Block the Offending Host(s)
“Customers can block traffic from the specific source IP address seen in the connection table using an access control list (ACL). After applying the ACL, make sure to clear existing connections for that source using the clear conn address <ip_address> command in EXEC mode.”
Option 3: Filter on Sent-by Address of 0.0.0.0
Administrators can make configuration changes in order to prevent crashes when “the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0.” See the advisory for detailed regex configuration changes that can be applied.
Option 4: Rate Limit SIP Traffic
“This vulnerability can also be mitigated by implementing a rate limit on SIP traffic using the Modular Policy Framework (MPF). The implementation of these policies will differ depending on the deployment specifics and implementation choices made in each environment. Customers who need assistance implementing an MPF policy should contact the Cisco TAC or their Advanced Services (AS) representative for assistance.”