Headline
CVE-2018-15454: Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability
A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device. Software updates that address this vulnerability are not yet available.
There are no workarounds that address this vulnerability; however, there are several mitigation options. These mitigation options apply to both physical and virtual appliances.
Option 1: Disable SIP Inspection
Disabling SIP inspection will completely close the attack vector for this vulnerability. However, it may not be suitable for all customers. In particular, disabling SIP inspection would break SIP connections if either NAT is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL.
To disable SIP inspection, configure the following:
Cisco ASA Software
policy-map global_policy
class inspection_default
no inspect sipCisco FTD Software Releases
**configure inspection sip disable
**Note: This command is issued from the FTD CLI.
**Option 2: Block the Offending Host(s)**
Customers can block traffic from the specific source IP address seen in the connection table using an access control list (ACL). After applying the ACL, make sure to clear existing connections for that source using the **clear conn address** command in EXEC mode.
Alternatively, the offending host can be shunned using the **shun** command in EXEC mode. This will block all packets from that source IP without the need for a configuration change. However, please be aware that shunning does not persist across reboot.
**Option 3: Filter on Sent-by Address of 0.0.0.0**
In observed cases, the offending traffic has been found to have the _Sent-by Address_ set to the invalid value of 0.0.0.0. If an administrator confirms that the offending traffic shows the same pattern in their environment (e.g. confirmed via packet capture), the following configuration can be applied to prevent the crash:
> regex VIAHEADER "0.0.0.0"
>
> policy-map type inspect sip P1
> parameters
> match message-path regex VIAHEADER
> drop
>
> policy-map global\_policy
> class inspection\_default
> no inspect sip
> inspect sip P1
In FTD 6.2 and later, use Cisco Firepower Management Center (FMC) to add this configuration via FlexConfig policy.
**Option 4: Rate Limit SIP Traffic**
This vulnerability can also be mitigated by implementing a rate limit on SIP traffic using the Modular Policy Framework (MPF). The implementation of these policies will differ depending on the deployment specifics and implementation choices made in each environment. Customers who need assistance implementing an MPF policy should contact the Cisco TAC or their Advanced Services (AS) representative for assistance.
**Note**: An attacker could exploit this vulnerability using spoofed IP packets.