Cisco has discovered a zero-day vulnerability (CVE-2018-15454) that affects products running ASA (Adaptive Security Appliance) and FTD (Firepower Threat Defense) software. The vulnerability resides in the SIP (Session Initiation Protocol) inspection engine of ASA and FTD software. It could allow a remote attacker to cause an affected device to trigger or reload high CPU, which will result in a DoS (Denial of Service) condition. Since SIP is enabled by default in every ASA and FTD software package, it’s believed that a great deal of Cisco devices are vulnerable. Any product running ASA 9.4 and later or FTD 6.0 and later are affected. No patches have been made available as of the time this article was written.
For users that are believed to be affected by the zero-day, Cisco has provided three mitigations for the issue. Users are advised to disable SIP inspection. Another temporary solution is to block traffic from the malicious IP sending the traffic. Finally, some traffic has been seen using the 0.0.0.0 IP address for the “Sent-by Address.” This also makes it easier for companies to filter incoming traffic. Users who find they have affected devices should be on the look-out for a patch and when one is released, it should be implemented as soon as possible.