Cisco zero-day exploited in the wild to crash and reload devices

No patch available,yet. Vulnerability affects devices running ASA 9.4+ and FTD 6.0+ software.

cisco-asa.png
Image source: Cisco // Edited: ZDNet

The Cisco security team has revealed earlier the existence of a zero-day vulnerability affecting products that run Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.

The vulnerability has been exploited in the wild, according to a security advisory the company published a few hours ago. No patches are available at the time of writing.

Cisco says it discovered the vulnerability, and the active attacks, while its staff was answering a support case.

The vulnerability, which Cisco is tracking as CVE-2018-15454, resides in the Session Initiation Protocol (SIP) inspection engine of ASA and FTD software.

Cisco says CVE-2018-15454 "could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition."

Because SIP inspection is enabled by default in all ASA and FTD software packages, a large number of Cisco devices are believed to be vulnerable. Cisco has already confirmed that the following products are affected if they run ASA 9.4 and later, or FTD 6.0 and later:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

Until Cisco ships ASA and FTD software updates to address with this vulnerability, Cisco has provided three mitigations that devices owners can take and prevent a remote attacker from crashing their equipment.

The most obvious one is for device owners to disable SIP inspection. Second, if device owners have managed to identify an attacker's IP address, they can block traffic from that IP using the ASA and FTD traffic filtering systems at their disposal.

Furthermore, Cisco says that malicious traffic that has been observed in attacks until now has also used the 0.0.0.0 IP address for the "Sent-by Address" field, which also makes it easy for companies to filter an attacker's incoming traffic.

Step-by-step information on how to configure these mitigations, but also on how to determine if an ASA or FTD device has been hit by CVE-2018-15454 are available in Cisco's advisory.

ZDNet understands that this vulnerability is not yet exploited en masse but in a limited number of attacks.

RELATED COVERAGE: