Cisco recently discovered Zero Day vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) Software.

The attackers who have exploited the software running on the Cisco security appliances are anonymous. The bug could allow an unauthenticated remote access and trigger restart of the compromise devices, resulting in a Denial of Service Attack.

The major reason behind the Zero Day vulnerability is improper handling of SIP traffic. The attackers smartly use this vulnerability by sending SIP request specifically designed to trigger Zero Day Cyber Attack across an affected device.

No software updates are yet available that can address Zero Day vulnerability.

What Is Zero-Day

The Zero Day is referred to a flaw in software or hardware that is unrecognized by the team or parties accountable for mending or fixing the flaw.

Zero Day vulnerability is an attack that has zero days between time the vulnerability is identified and its first attack. Once Zero Day vulnerability is known to the public, it is then known as one-day vulnerability.

A Zero Day attack is likely to be difficult to detect. Anti Trojan software and Intrusion detection & prevention systems are often incompetent reason being no attack signature yet exists for Zero Day attack.

The best way to detect a Zero-Day attack is analyzing User Behavior as authorized entities that access network exhibit definite usage & behavior patterns. Activities or pursuit that fall outside the normal scope of operations may indicate Zero-Day Attack.

Insight into Zero-Day Vulnerability in Cisco Appliances

The Zero Day vulnerability present in the Session Initiation Protocol is identified as CVE-2018-15454 and rated high-severity.

An advisory from the renowned networking giant said that the vulnerability is due to flawed handling of SIP Traffic. Session Initiation Protocol is a networking protocol that carries IP traffic across local and wide area networks for voice, video and messaging applications. Meanwhile, the SIP Inspection Engine provides address interpretation in message headers & bodies, dynamic opening of ports & supports application security.

The extreme high volumes of traffic can typically confound the Session Initiation Protocol inspection engine thus making a way for the attackers to carry out their unscrupulous deeds. The attackers send high rates of SIP requests that are specifically designed to target a compromised device and take it offline.

If attackers are not able to crash and reboot the device, they leverage the vulnerability with high CPU usage, slowing down the infected device and delaying the tasks at hand.

Alleviation of Zero Day Vulnerability

Here are some of the mitigation options against Zero Day vulnerability:

• Disable SIP Inspection; however this is not feasible in many cases. It could break SIP connections.
• Use an Access Control List (ACL) to block the traffic from the riled IP Addresses.
• Use the “shun” command in EXEC mode to terminate the packets from the attacker’s IP.
• Cisco has identified that the offending traffic has the Sent-by-address header set to an invalid value, 0.0.0.0. The Admin can use this pattern to identify the bad packets & avoid crash of security appliance.
• Implement a rate limit on the Session Initiation Protocol traffic by Modular Policy Framework.

Affected Products

The Zero Day vulnerability that has affected Cisco Software and physical & virtual appliances of SIP are Firepower 2100, 4100 Series Security Appliance, Firepower 9300 ASA Security Module, ASA 5500-X Series Next-Generation Firewalls, Adaptive Security Virtual Appliance (ASAv), 3000 Series Industrial Security Appliance (ISA) and FTD Virtual (FTDv).

Hits: 95