Vulnerability in Cisco Security Appliances Exploited in the Wild

Delaware, USA – November 2, 2018 – Cisco discovered a zero-day vulnerability in Adaptive Security Appliance and Firepower Threat Defense (CVE-2018-15454) that was actively exploited by unknown attackers to trigger a restart of the devices. The vulnerability in the Session Initiation Protocol inspection engine allows attackers to cause an affected device to reload or trigger high CPU, resulting in a denial of service condition. The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device. While the CVE-2018-15454 vulnerability is being actively exploited, the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization. Successful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread.

There is no software update that fixes the problem, but you can disable SIP inspection to mitigate this issue. Also you can discover malicious traffic and block it. Cisco noticed that the offending traffic has the ‘Sent-by Address’ header set to 0.0.0.0, an invalid value, so you can use this pattern to discover attack and prevent crashing of the security appliance.
Read full Cisco Security Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
Monitor network data flows with a SIEM system to timely detect suspicious traffic spikes and deviations: https://my.socprime.com/en/integrations/netflow-security-monitor-hpe-arcsight