Cisco has released a warning over a bug in devices running its Adaptive Security Appliance and Firepower software that hackers are actively exploiting and there’s no update that address the flaw.
The company posted an advisory today to warn customers of a denial of service vulnerability affecting several appliances that can be remotely exploited by an unauthenticated attacker.
Cisco said its Product Security Incident Response Team (PSIRT) “has become aware of active exploitation of the vulnerability that is described in this advisory”.
Cisco will break from its scheduled update plan for products like ASA if the vulnerability is publicly disclosed or is found to be under attack.
In this case Cisco posted the alert in the absence of a software update that addresses the vulnerability. It notes there are no workarounds to address it, but there are options to mitigate the vulnerability.
The vulnerability resides in a component of ASA and Firepower that inspects Session Initiation Protocol (SIP) messages. A remote attacker without the legitimate credentials could use the flaw to cause a device to crash and reload, or ramp up CPU. Both result in a device becoming inactive.
“An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device,” Cisco notes.
Given that organizations rely on ASA and Firepower appliances to provide firewall defenses that protect core business applications, admins will likely be keen to follow Cisco’s mitigations until a patch is ready.
The flaw affects several appliances if they have SIP inspection enabled and they’re running Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0.
Appliances that are affected if they meet these conditions include 3000 Series Industrial Security Appliance (ISA); ASA 5500-X Series Next-Generation Firewalls; ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers; Adaptive Security Virtual Appliance (ASAv); Firepower 2100 Series Security Appliance; Firepower 4100 Series Security Appliance; Firepower 9300 ASA Security Module; and FTD Virtual (FTDv).
Cisco confirms that ASA 1000V Cloud Firewall and ASA 5500 Series Adaptive Security Appliances are not affected.
If a device is under attack, admins should take note of results from “show conn port 5060”, which will show lots of incomplete connections. The “show processes cpu-usage non-zero sorted” command will show high CPU consumption if it is being attacked.
Cisco details three mitigations admins can take, including blocking traffic of the source UP address from an offending host; disabling SIP inspection; or filtering traffic that uses the Sent-by Address of 0.0.0.0.
“In many cases, the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0,” Cisco notes, detailing the specific configuration that can be used to prevent a crash.
Cisco says it will provide updates when they become available and will update the advisory to reflect this when it occurs.