A vulnerability in handling of Session Initiation Protocol (SIP) traffic by Cisco devices has been disclosed. CVE-2018-15454 has been assigned to track this vulnerability. Cisco has released advisory cisco-sa-20181031-asaftd-sip-dos to address this issue, it ha rated this issue as a high priority. The vulnerability affects a range of Cisco products if SIP inspection is enabled. Please refer to the advisory for detailed list of affected products.
This vulnerability is being exploited in the wild. An unauthenticated remote attacker can exploit this vulnerability by sending crafted SIP packets against the target device, upon successful exploitation an attacker can carry out DoS attack. The attacker can cause the target to reload or trigger high CPU usage and even crash the device. It has been observed that attacks are carried over port 5060 with abnormal no.of incomplete SIP connections. A device that has crashed due to this attack will report “an unknown abort of the DATAPATH thread”.
Mitigation
We request organizations to apply the latest patches from Cisco to address CVE-2018-15454. If immediate patching is not possible please consider the following mitigation steps as applicable. Please refer to the advisory for configuration. The attacks may still be carried out via IP spoofing.
– Disable SIP Inspection
– Block traffic to and from known malicious IP addresses.
– Filter traffic to exclude packets with Sent-by Address set to 0.0.0.0.
– Throttling SIP traffic using Modular Policy Framework (MPF) can also be considered as a mitigation technique.
Qualys Detection
Qualys customers can scan their network with QID: 316351 to detect vulnerable devices. The QID retrieves firmware version via Unix Auth using “show version” command.
Please continue to follow Qualys Threat Protection for information on vulnerabilities.
References
CVE-2018-15454
Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability