Hackers Exploit Cisco Zero Day Vulnerability in Wild Resulting in DoS Condition

A critical vulnerability in Session Initiation Protocol (SIP) of Cisco ASA and FTD software that allows an unauthenticated remote attacker to crash and reload the device. The vulnerability occurs due to the improper handling of SIP traffic.

A remote attacker could exploit the Cisco Zero Day vulnerability by sending a crafted SIP request that would trigger high CPU usage or reload the device results in DoS condition.

Cisco says the security update to address the vulnerability is not yet available and at the time there is no workaround for this vulnerability, reads Cisco advisory.

Affected Products – Cisco Zero Day

The vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later if SIP inspection is enabled.

3000 Series Industrial Security Appliance (ISA)
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)

The Indication of the Device in Attack

If any vulnerable device actively exploited by attackers, the administrators can see a large number of incomplete SIP connections over conn port 5060 and the output of show processes CPU-usage non-zero sorted will show a high CPU utilization.

Successful exploitation on the device leads device crashing and reloading, Cisco to free software updates that address the vulnerability described in this advisory.

The vulnerability can be tracked as CVE-2018-15454 and it receives the Base score 8.6.

Related Read

Cisco Releases Security Updates that Covers 16 Vulnerabilities that had Critical and High Impact

Cisco Released Security Updates for Multiple Vulnerabilities that Affected Cisco Products

Cisco Released Critical Security Updates for Vulnerabilities that Affected Cisco Products