Threat Response: Zero Day Vulnerability in Cisco ASA/FTD Appliances

01-11-2018

Yesterday evening Cisco published a vulnerability report regarding the Cisco Adaptive Security Applicance (ASA) and the Cisco Firepower Threat Defense (FTD)[1]. Because we are aware of the fact that some of our clients are actively using these appliances, we want to inform you about the risks.

If you are running a Cisco ASA or FTD device, we advise you to read this message carefully and apply one of the mitigiations outlined below.

Description

The vulnerability has been identified in software that inspects SIP (Session Initiation Protocol) packets. SIP is primarily used for VoIP (Voice over IP) solutions. The attack can be performed by an unauthenticated, remoteattacker, without special privileges. By sending large amounts of specially crafted SIP packets to a vulnerable device, a Denial-of-Service attack can be performed, with the effect that normal traffic can not be processed by the affected device. If Internet traffic is exclusively being routed through the appliance, this may cause a temporary loss of Internet connectivity.

The vulnerability is known to be present in Cisco ASA Software Release 9.4 and up, as well as in Cisco FTD Software Release 6.0 and up. The following list of devices is specified by Cisco as being vulnerable, provided SIP inspection is turned on:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

Risk

Because the appliances described above are, in most cases, Internet-facing, and because the vulnerabilty is relatively easy to exploit, resulting in a (temporary) loss of Internet connectivity, we classify the risk of this vulnerability as high. In their advisory, Cisco has mentioned that they have seen this vulnerability being actively exploited, which further increases the risk.

At this moment, we do not have any indications that an exploit is publicly available. However, when an exploit is published, there will be a high probability that this exploit will be used on a broad scale.

Mitigation

Cisco has not yet released a patch for the software running on the appliances, and therefore there is no definitive solution yet. There are possible mitigations to decrease the risk temporarily:

1. Turn off SIP inspection on the appliance

Turning off SIP inspecation on the appliance fully mitigates the vulnerability, and is the best option if SIP traffic is not present in your network. However, this solution has some major downsides:

  • If Network Address Translation (NAT) is being applied on SIP traffic, SIP traffic will not be possible anymore
  • If not all ports for SIP traffic are enabled by an ACL, SIP traffic will also not be possible anymore

Because of these disadvantages, it is very important to check whether SIP traffic is being used in your network and under which circumstances this is done.

2. Filter SIP traffic with the ‘Sent-By Address’ header being ‘0.0.0.0’

Cisco has observed that traffic exploiting this vulnerability has an incorrect value of ‘0.0.0.0’ in the ‘Sent-By Address’ field of the SIP packet. Blocking traffic containing this header can prevent the exploit from being successful. Note, however, that attacks may use a different value in this field, so the device can actually be attacked with this mitigation set.

What does Northwave do?

The Indicators of Compromise (IoCs) that are related to this vulnerability will be added to the Northwave Detection Platform when they become available.

If you need additional information you can call us by phone or send us an email.

Phone number: 030-3031244
E-mail: soc@northwave.nl

Sources

[1] https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

[2] https://nvd.nist.gov/vuln/detail/CVE-2018-15454

[3] https://www.ncsc.nl/dienstverlening/response-op-dreigingen-en-incidenten/beveiligingsadviezen/NCSC-2018-0976+1.00+Kwetsbaarheid+in+Cisco+Adaptive+Security+Appliance.html

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.