Cisco’s security team revealed earlier this year that products running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software had a zero-day vulnerability. Now it appears that this vulnerability has been abused in the wild. There are no patches for the problem yet.

The vulnerability and active attacks were discovered when Cisco employees responded to someone who needed support. The vulnerability, with code CVE-2018-15454, lies in the Session Initiation Protocol (SIP) inspection engine of ASA and FTD software.

The vulnerability can enable a remote attacker to reload an affected device or trigger a high CPU, resulting in a DoS state. SIP inspection is standard in all ASA and FTD software packages, which would make a large number of Cisco devices vulnerable. The following products are affected if they run ASA 9.4 and newer or FTD 6.0 and newer:

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4100 Series Security Appliance
  • Firepower 9300 ASA Security Module
  • FTD Virtual (FTDv)

Measures

The company has offered three restrictive measures that device owners can take to prevent an attacker from crashing their hardware. One of them is that device owners disable the PSI inspection. If an owner can identify an attacker’s IP address, it is possible to block traffic from that IP address with the ASA and FTD traffic filtering system.

Cisco further states that rogue traffic detected by the attacks has also used the 0.0.0.0 IP address in the “Sent-by Address” field, making it easy for computers to filter incoming traffic from an attacker.

In the company’s security advisory you can find a manual on how to configure these measures and how to determine whether a device has been taken.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.