Until now, hackers have exploited a software vulnerability that Cisco uses in its hardware security products. The bug can restart the devices, and therefore temporarily shut down their operation. Cisco was made aware of the vulnerability when one of its customers contacted her asking for help.
Vulnerability with code names CVE-2018-15454, is located in the engine of the Session Initiation Protocol (SIP), which is enabled by default. In the event that exploitation exploits the device does not restart, then the processor is greatly increased and the result is long delays in its operation. According to a Cisco expert, vulnerability can be exploited either locally or remotely, and some kind of authentication is not required.
"Vulnerability is due to poor management of SIP traffic. The attacker can exploit the vulnerability by sending multiple SIP requests modified specifically to take advantage of the security vulnerability. "
So far, Cisco has not released an update that solves the problem, but there are several alternatives. One of the options is to completely shut down SIP Inspection, but this is not feasible in all cases as it can create a new problem that breaks all SIP connections.
The Cisco team observed that all malware contained the 0.0.0.0 address in the Sent-by Address header, an address that can not be found. Network administrators could create a pattern that will detect malicious packets and exclude them.
Until a Cisco security vulnerability update is released for CVE-2018-15454 code vulnerability, customers should rely on one of the two above solutions.
Devices that have been confirmed to be vulnerable are:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)