Cisco zero-day exploit affects ASA and FTD software

Cisco zero-day exploit affects ASA and FTD software

Cisco has released a security advisory for a high severity zero-day denial of service (DOS) vulnerability that impacts Cisco’s Adaptive Security Appliance (ASA) Software and Firepower Threat Defense (FTD) Software. 

There were no patches or workarounds yet available, as stated in the initial Cisco advisory as of Thursday.

An excerpt of the threat from the Cisco update

“A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.”

The vulnerability (CVE-2018-15454) is due to improper handling of SIP traffic:

“An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.” 

According to Cisco, the vulnerability impacts Cisco ASA Software Release 9.4 and later versions, as well as Cisco FTD Software Release 6.0 and later if SIP inspection is enabled and running.

SIP runs by default in all ASA and FTD software packages and subsequently affects a large number of products to include:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv).

On Friday, Cisco did provide some short term mitigations that could be applied. Four options were made available by Cisco as described in the updated advisory on Friday. 

Option 1: Disable SIP Inspection

“Disabling SIP inspection will completely close the attack vector for this vulnerability. However, it may not be suitable for all customers. In particular, disabling SIP inspection would break SIP connections if either NAT is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL.”

Option 2: Block the Offending Host(s)

“Customers can block traffic from the specific source IP address seen in the connection table using an access control list (ACL). After applying the ACL, make sure to clear existing connections for that source using the clear conn address <ip_address> command in EXEC mode.”

Option 3: Filter on Sent-by Address of

Administrators can make configuration changes in order to prevent crashes when “the offending traffic has been found to have the Sent-by Address set to the invalid value of” See the advisory for detailed regex configuration changes that can be applied.

Option 4: Rate Limit SIP Traffic

“This vulnerability can also be mitigated by implementing a rate limit on SIP traffic using the Modular Policy Framework (MPF). The implementation of these policies will differ depending on the deployment specifics and implementation choices made in each environment. Customers who need assistance implementing an MPF policy should contact the Cisco TAC or their Advanced Services (AS) representative for assistance.”