Cisco: hackers are attacking ASA and Firepower 0-day and there’s no patch

Cisco has released a warning over a bug in devices running its Adaptive Security Appliance and Firepower software that hackers are actively exploiting and there’s no update that address the flaw. 

The company posted an advisory today to warn customers of a denial of service vulnerability affecting several appliances that can be remotely exploited by an unauthenticated attacker.

Cisco said its Product Security Incident Response Team (PSIRT) “has become aware of active exploitation of the vulnerability that is described in this advisory”.

Cisco will break from its scheduled update plan for products like ASA if the vulnerability is publicly disclosed or is found to be under attack. 

In this case Cisco posted the alert in the absence of a software update that addresses the vulnerability. It notes there are no workarounds to address it, but there are options to mitigate the vulnerability.  

The vulnerability resides in a component of ASA and Firepower that inspects Session Initiation Protocol (SIP) messages. A remote attacker without the legitimate credentials could use the flaw to cause a device to crash and reload, or ramp up CPU. Both result in a device becoming inactive.    

“An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device,” Cisco notes. 

Given that organizations rely on ASA and Firepower appliances to provide firewall defenses that protect core business applications, admins will likely be keen to follow Cisco’s mitigations until a patch is ready. 

The flaw affects several appliances if they have SIP inspection enabled and they’re running Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0. 

Appliances that are affected if they meet these conditions include 3000 Series Industrial Security Appliance (ISA); ASA 5500-X Series Next-Generation Firewalls; ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers; Adaptive Security Virtual Appliance (ASAv); Firepower 2100 Series Security Appliance; Firepower 4100 Series Security Appliance; Firepower 9300 ASA Security Module; and FTD Virtual (FTDv). 

Cisco confirms that ASA 1000V Cloud Firewall and ASA 5500 Series Adaptive Security Appliances are not affected. 

If a device is under attack, admins should take note of results from “show conn port 5060”, which will show lots of incomplete connections. The “show processes cpu-usage non-zero sorted” command will show high CPU consumption if it is being attacked. 

Cisco details three mitigations admins can take, including blocking traffic of the source UP address from an offending host; disabling SIP inspection; or filtering traffic that uses the Sent-by Address of 0.0.0.0. 

“In many cases, the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0,” Cisco notes, detailing the specific configuration that can be used to prevent a crash. 

Cisco says it will provide updates when they become available and will update the advisory to reflect this when it occurs. 

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags firewallciscodenial of servicedosFirepowerASA

More about ASACiscoFTD

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts