A critical vulnerability in Session Initiation Protocol (SIP) of Cisco ASA and FTD software that allows an unauthenticated remote attacker to crash and reload the device. The vulnerability occurs due to the improper handling of SIP traffic.
A remote attacker could exploit the Cisco Zero Day vulnerability by sending a crafted SIP request that would trigger high CPU usage or reload the device results in DoS condition.
Affected Products – Cisco Zero Day
The vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later if SIP inspection is enabled.
3000 Series Industrial Security Appliance (ISA)
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4100 Series Security Appliance
Firepower 9300 ASA Security Module
FTD Virtual (FTDv)
The Indication of the Device in Attack
If any vulnerable device actively exploited by attackers, the administrators can see a large number of incomplete SIP connections over conn port 5060 and the output of show processes CPU-usage non-zero sorted will show a high CPU utilization.
Successful exploitation on the device leads device crashing and reloading, Cisco to free software updates that address the vulnerability described in this advisory.
The vulnerability can be tracked as CVE-2018-15454 and it receives the Base score 8.6.