14 DAY TRIAL // Cisco just disclosed an actively exploited denial of service (DoS) vulnerability in the Session Initiation Protocol (SIP) inspection engine of their Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software.
The security issue could allow potential remote and unauthenticated attackers to "cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition."
As detailed by Cisco in their advisory, the security issue lies in the way Session Initiation Protocol traffic is improperly handled, making it possible for an adversary to send maliciously crafted SIP requests designed to trigger this specific vulnerability at high rates across affected devices.
This DoS vulnerability (CVE-2018-15454) affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later according to Cisco, if SIP inspection is enabled.
Given that the SIP inspection feature is enabled by default in both Cisco Adaptive Security Appliance and Firepower Threat Defense software, all Cisco products on which they're running are vulnerable.
There are no software updates that fix this actively exploited ASA and FTD DoS vulnerability
The following products have been listed as exploitable by Cisco in the advisory: 3000 Series Industrial Security Appliance (ISA), ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module, FTD Virtual (FTDv).
Moreover, Cisco says that there are no software updates released and no workarounds have yet been found that address this security issue.
Fortunately, there are mitigation measures that can be taken to avoid exposure and potential exploitation seeing that the "Cisco Product Security Incident Response Team (PSIRT) has become aware of active exploitation of the vulnerability that is described in this advisory."
Cisco recommends blocking or shunning the offending host, disabling the SIP inspection feature and filtering on Sent-by Address of 0.0.0.0 on all vulnerable products running the Cisco ASA and FTW software as mitigations measures.