A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition, Cisco officials said.
The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.
The Cisco Product Security Incident Response Team (PSIRT) said there is active exploitation of the vulnerability.
Software updates that address this vulnerability are not yet available. In addition, there are no workarounds that address this vulnerability. However, mitigation options that address this vulnerability are available.
The vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later if SIP inspection is enabled and the software is running on any of the following Cisco products:
• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4100 Series Security Appliance
• Firepower 9300 ASA Security Module
• FTD Virtual (FTDv)
SIP inspection is enabled by default in Cisco ASA Software and Cisco FTD Software. Click here for information about the default settings for application inspection policies.
To determine which Cisco ASA Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command.
If a device is managed by using Cisco Adaptive Security Device Manager (ASDM), administrators can also determine which release is running on a device by referring to the release information in the table that appears in the Cisco ASDM log in window or the Device Dashboard tab of the Cisco ASDM Home pane.
To determine which Cisco FTD Software release is running on a device, administrators can log in to the device, use the show version command in the CLI, and refer to the output of the command.
The vulnerability described in this advisory is being actively exploited, the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization.
Successful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread. Customer should reach out to Cisco TAC with this information to determine whether the particular crash was related to exploitation of this vulnerability.
Some mitigation options include:
1. Disabling SIP inspection will completely close the attack vector for this vulnerability.
2. The user can block traffic from the specific source IP address seen in the connection table using an access control list (ACL).
3. Offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0. If an administrator confirms that the offending traffic shows the same pattern in their environment, the following configuration can help prevent the crash:
regex VIAHEADER “0.0.0.0”
policy-map type inspect sip P1
match message-path regex VIAHEADER
no inspect sip
inspect sip P1
4 This vulnerability can also be mitigated by implementing a rate limit on SIP traffic using the Modular Policy Framework (MPF).
Cisco will release software updates that address the vulnerability shortly.