Cisco Zero-day Exploited in the Wild to Crash and Reload Devices (Nov 1, 2018)
Cisco Talos researchers has reported that a zero-day vulnerability in the Session Initiation Protocol (SIP) inspection engine has been observed affecting their products that run "Adaptive Security Appliance" (ASA) and "Firepower Threat Defence" (FTD) software. This vulnerability, registered as "CVE-2018-15454," allows for an unauthenticated user to remotely force a device to reload or trigger high CPU, resulting in a Denial-of-Service (DoS) condition. Several Cisco devices have been seen to be affected by this vulnerability, mainly products that run ASA 9.4 and later versions or FTD 6.0 and later versions. This vulnerability has already been observed to have been exploited in the wild in a limited number of attacks. At the time of this writing, there has yet to be a security patch released.
Recommendation: While Cisco works on a security patch for this vulnerability, they have given three suggestions to what users can do to mitigate this vulnerability being exploited. Firstly, device owners should disable SIP inspection. Secondly, if device owners can identify a malicious IP address, they can block traffic from that IP using the ASA and FTD traffic filtering systems. Lastly, Cisco mentions that most of the malicious activity exploiting this vulnerability utilises the IP address 0.0.0.0 for the "Sent-by Address" so users can filter incoming traffic and block that IP.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.