Cisco zero-day exploited in the wild to crash and reload devices

The Cisco security team has revealed earlier the existence of a zero-day vulnerability affecting products that run Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

The vulnerability has been exploited in the wild, according to a security advisory the company published a few hours ago. No patches are available at the time of writing.

Cisco says it discovered the vulnerability, and the active attacks, while its staff was answering a support case.

The vulnerability, which Cisco is tracking as CVE-2018-15454, resides in the Session Initiation Protocol (SIP) inspection engine of ASA and FTD software.

Cisco says CVE-2018-15454 "could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition."

Because SIP inspection is enabled by default in all ASA and FTD software packages, a large number of Cisco devices are believed to be vulnerable. Cisco has already confirmed that the following products are affected if they run ASA 9.4 and later, or FTD 6.0 and later:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4100 Series Security Appliance
• Firepower 9300 ASA Security Module
• FTD Virtual (FTDv)

Until Cisco ships ASA and FTD software updates to address with this vulnerability, Cisco has provided three mitigations that devices owners can take and prevent a remote attacker from crashing their equipment.

The most obvious one is for device owners to disable SIP inspection. Second, if device owners have managed to identify an attacker's IP address, they can block traffic from that IP using the ASA and FTD traffic filtering systems at their disposal.

Furthermore, Cisco says that malicious traffic that has been observed in attacks until now has also used the 0.0.0.0 IP address for the "Sent-by Address" field, which also makes it easy for companies to filter an attacker's incoming traffic.

Step-by-step information on how to configure these mitigations, but also on how to determine if an ASA or FTD device has been hit by CVE-2018-15454 are available in Cisco's advisory.

ZDNet understands that this vulnerability is not yet exploited en masse but in a limited number of attacks.

RELATED COVERAGE:

• Twelve malicious Python libraries found and removed from PyPI
• Windows Defender becomes first antivirus to run inside a sandbox
• New security flaw impacts most Linux and BSD distros
• Microsoft Windows zero-day disclosed on Twitter, again
• Magecart group leverages zero-days in 20 Magento extensions
• Zero-day in popular jQuery plugin actively exploited for at least three years
• That VPNFilter botnet the FBI wanted us to help kill? It's still alive CNET
• Cisco updates ASR 9000 edge routing platform to carry users to 5G TechRepublic