ESB-2018.3410.6 - UPDATED ALERT [Appliance] Cisco Adaptive Security Appliance Software and Cisco Firepower Software: Denial of service - Remote/unauthenticated 2018-11-19

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.3410.6
   Cisco Adaptive Security Appliance Software and Cisco Firepower Threat
             Defense Software Denial of Service Vulnerability
                             19 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Cisco Adaptive Security Appliance
                   Cisco Firepower
Publisher:         Cisco Systems
Operating System:  Network Appliance
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2018-15454  

Original Bulletin: 
   https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

Revision History:  November 19 2018: Updated Fixed Software section
                   November 15 2018: Updated Fixed Software section.
                   November  7 2018: Updated Fixed Software section
                   November  5 2018: Cisco clarified that both physical and
                                     virtual appliances are affected and that
                                     disabling SIP on FTP needs to be done via CLI.
                   November  2 2018: Publicly available exploits have been sighted
                   November  1 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense
Software Denial of Service Vulnerability

Priority:          High
Advisory ID:       cisco-sa-20181031-asaftd-sip-dos
First Published:   2018 October 31 19:30 GMT
Last Updated:      2018 November 14 19:54 GMT
Version 1.4:       Interim
Workarounds:       No workarounds available
Cisco Bug IDs:     CSCvm43975
 
CVE-2018-15454
 
CVSS Score: Base 8.6
CVSS: 3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:X/RL:X/RC:X

Summary

  * A vulnerability in the Session Initiation Protocol (SIP) inspection engine
    of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower
    Threat Defense (FTD) Software could allow an unauthenticated, remote
    attacker to cause an affected device to reload or trigger high CPU,
    resulting in a denial of service (DoS) condition.

    The vulnerability is due to improper handling of SIP traffic. An attacker
    could exploit this vulnerability by sending SIP requests designed to
    specifically trigger this issue at a high rate across an affected device.

    Cisco has released software updates that address this vulnerability. There
    are no workarounds that address this vulnerability. Mitigation options that
    address this vulnerability are available.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

Affected Products

  * Vulnerable Products

    This vulnerability affects Cisco ASA Software Release 9.4 and later and
    Cisco FTD Software Release 6.0 and later on both physical and virtual
    appliances if SIP inspection is enabled and the software is running on any
    of the following Cisco products:

      + 3000 Series Industrial Security Appliance (ISA)
      + ASA 5500-X Series Next-Generation Firewalls
      + ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco
        7600 Series Routers
      + Adaptive Security Virtual Appliance (ASAv)
      + Firepower 2100 Series Security Appliance
      + Firepower 4100 Series Security Appliance
      + Firepower 9300 ASA Security Module
      + FTD Virtual (FTDv)

    SIP inspection is enabled by default in both Cisco ASA Software and Cisco
    FTD Software. For detailed information about the default settings for
    application inspection policies, refer to the Cisco ASA Series Firewall CLI
    Configuration Guide.

    Determine the Cisco ASA Software Release

    To determine which Cisco ASA Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco ASA
    Software Release 9.4(4):

        ciscoasa# show version | include Version

        Cisco Adaptive Security Appliance Software Version 9.4(4)
        Device Manager Version 7.4(1)
        .
        .
        .

    If a device is managed by using Cisco Adaptive Security Device Manager
    (ASDM), administrators can also determine which release is running on a
    device by referring to the release information in the table that appears in
    the Cisco ASDM log in window or the Device Dashboard tab of the Cisco ASDM
    Home pane.

    Determine the Cisco FTD Software Release

    To determine which Cisco FTD Software release is running on a device,
    administrators can log in to the device, use the show version command in
    the CLI, and refer to the output of the command. The following example
    shows the output of the command for a device that is running Cisco FTD
    Software Release 6.2.0:

        > show version

        ---------------------[ ftd ]---------------------
        Model : Cisco ASA5525-X Threat Defense (75) Version 6.2.0 (Build 362)
        UUID : 2849ba3c-ecb8-11e6-98ca-b9fc2975893c
        Rules update version : 2017-03-15-001-vrt
        VDB version : 279
        ----------------------------------------------------

    Products Confirmed Not Vulnerable

    Only products listed in the Vulnerable Products section of this advisory
    are known to be affected by this vulnerability.

    Cisco has confirmed that this vulnerability does not affect the following
    Cisco products:

      + ASA 1000V Cloud Firewall
      + ASA 5500 Series Adaptive Security Appliances

Indicators of Compromise

  * While the vulnerability described in this advisory is being actively
    exploited, the output of show conn port 5060 will show a large number of
    incomplete SIP connections and the output of show processes cpu-usage
    non-zero sorted will show a high CPU utilization.

    Successful exploitation of this vulnerability can also result in the
    affected device crashing and reloading. After the device boots up again,
    the output of show crashinfo will show an unknown abort of the DATAPATH
    thread. Customer should reach out to Cisco TAC with this information to
    determine whether the particular crash was related to exploitation of this
    vulnerability.

Workarounds

  * There are no workarounds that address this vulnerability; however, there
    are several mitigation options. These mitigation options apply to both
    physical and virtual appliances.

    Option 1: Disable SIP Inspection

    Disabling SIP inspection will completely close the attack vector for this
    vulnerability. However, it may not be suitable for all customers. In
    particular, disabling SIP inspection would break SIP connections if either
    NAT is applied to SIP traffic or if not all ports required for SIP
    communication are opened via ACL.

    To disable SIP inspection, configure the following:

      + Cisco ASA Software

        policy-map global_policy
         class inspection_default
          no inspect sip

      + Cisco FTD Software Releases

        configure inspection sip disable
        
        Note: This command is issued from the FTD CLI.

    Option 2: Block the Offending Host(s)

    Customers can block traffic from the specific source IP address seen in the
    connection table using an access control list (ACL). After applying the
    ACL, make sure to clear existing connections for that source using the 
    clear conn address <ip_address> command in EXEC mode.

    Alternatively, the offending host can be shunned using the shun 
    <ip_address> command in EXEC mode. This will block all packets from that
    source IP without the need for a configuration change. However, please be
    aware that shunning does not persist across reboot.

    Option 3: Filter on Sent-by Address of 0.0.0.0

    In observed cases, the offending traffic has been found to have the Sent-by
    Address set to the invalid value of 0.0.0.0. If an administrator confirms
    that the offending traffic shows the same pattern in their environment
    (e.g. confirmed via packet capture), the following configuration can be
    applied to prevent the crash:

        regex VIAHEADER "0.0.0.0"

        policy-map type inspect sip P1
        parameters
        match message-path regex VIAHEADER
         drop

        policy-map global_policy
        class inspection_default
         no inspect sip
         inspect sip P1

    In FTD 6.2 and later, use Cisco Firepower Management Center (FMC) to add
    this configuration via FlexConfig policy.

    Option 4: Rate Limit SIP Traffic

    This vulnerability can also be mitigated by implementing a rate limit on
    SIP traffic using the Modular Policy Framework (MPF). The implementation of
    these policies will differ depending on the deployment specifics and
    implementation choices made in each environment. Customers who need
    assistance implementing an MPF policy should contact the Cisco TAC or their
    Advanced Services (AS) representative for assistance.

    Note: An attacker could exploit this vulnerability using spoofed IP
    packets.

Fixed Software

  * Cisco is in the process of releasing free software updates that address the
    vulnerability described in this advisory. Customers may only install and
    expect support for software versions and feature sets for which they have
    purchased a license. By installing, downloading, accessing, or otherwise
    using such software upgrades, customers agree to follow the terms of the
    Cisco software license:
    https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

    Additionally, customers may only download software for which they have a
    valid license, procured from Cisco directly, or through a Cisco authorized
    reseller or partner. In most cases this will be a maintenance upgrade to
    software that was previously purchased. Free security software updates do
    not entitle customers to a new software license, additional software
    feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly
    consult the advisories for Cisco products, which are available from the
    Cisco Security Advisories and Alerts page, to determine exposure and a
    complete upgrade solution.

    In all cases, customers should ensure that the devices to be upgraded
    contain sufficient memory and confirm that current hardware and software
    configurations will continue to be supported properly by the new release.
    If the information is not clear, customers are advised to contact the Cisco
    Technical Assistance Center (TAC) or their contracted maintenance
    providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service
    contract and customers who make purchases through third-party vendors but
    are unsuccessful in obtaining fixed software through their point of sale
    should obtain upgrades by contacting the Cisco TAC:
    https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

    Customers should have the product serial number available and be prepared
    to provide the URL of this advisory as evidence of entitlement to a free
    upgrade.

    Cisco ASA Software

    Cisco ASA Software Release    First Fixed Release
    9.3 and Prior^1               Not vulnerable
    9.4                           9.4.4.27
    9.5^1                         Migrate to first fixed 9.6 or later version.
    9.6                           9.6.4.18
    9.7^1                         Migrate to first fixed 9.8 or later version.
    9.8                           9.8.3.16
    9.9                           9.9.2.32
    9.10                          9.10.1.2

^1 Cisco ASA Software releases prior to Release 9.1 and Cisco ASA Software
    Releases 9.2, 9.3, 9.5, and 9.7 have reached the
    end-of-software-maintenance milestone. Customers are advised to migrate to
    a supported release that includes the fix for this vulnerability.

     

    Cisco FTD Software

    Cisco FTD Software Release    First Fixed Release for This Vulnerability
    6.0                           Migrate to a fixed release in 6.1.0 or later
    6.0.1                         Migrate to a fixed release in 6.1.0 or later
    6.1.0                         Pending^2
    6.2.0                         6.2.0.6 Hotfix CE
    6.2.1                         Migrate to a fixed release in 6.2.2 or later
    6.2.2                         Pending^2
    6.2.3                         Pending^2

^2 As fixed software is posted, the advisory will be updated to reference the
    actual posted fixed image release number.

    To upgrade to a fixed release of Cisco Firepower System Software, customers
    can do one of the following:

      + For devices that are managed by using Cisco Firepower Management Center
        (FMC), use the FMC interface to install the upgrade and, after
        installation is complete, reapply the access control policy. The Snort
        version that is installed depends on the FMC release.
      + For devices that are managed by using Cisco Adaptive Security Device
        Manager (ASDM) or Cisco Firepower Device Manager (FDM), use the ASDM or
        FDM interface to install the upgrade and, after installation is
        complete, reapply the access control policy.

Exploitation and Public Announcements

  * The Cisco Product Security Incident Response Team (PSIRT) has become aware
    of active exploitation of the vulnerability that is described in this
    advisory.

URL

  * https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

Revision History

  * 
    +-----------------------------------------------------------------------------+
    | Version |      Description       |   Section   | Status  |       Date       |
    |---------+------------------------+-------------+---------+------------------|
    | 1.4     | Updated Fixed Software | Fixed       | Interim | 2018-November-14 |
    |         | section.               | Software    |         |                  |
    |---------+------------------------+-------------+---------+------------------|
    | 1.3     | Updated Fixed Software | Fixed       | Interim | 2018-November-06 |
    |         | section.               | Software    |         |                  |
    |---------+------------------------+-------------+---------+------------------|
    |         | Clarified that both    |             |         |                  |
    |         | physical and virtual   |             |         |                  |
    |         | appliances are         | Vulnerable  |         |                  |
    | 1.2     | affected and that      | Products,   | Interim | 2018-November-02 |
    |         | disabling SIP on FTD   | Workarounds |         |                  |
    |         | needs to be done via   |             |         |                  |
    |         | CLI.                   |             |         |                  |
    |---------+------------------------+-------------+---------+------------------|
    | 1.1     | Added Rate Limiting    | Workarounds | Interim | 2018-November-01 |
    |         | mitigation.            |             |         |                  |
    |---------+------------------------+-------------+---------+------------------|
    | 1.0     | Initial public         | -           | Interim | 2018-October-31  |
    |         | release.               |             |         |                  |
    +-----------------------------------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/JK1GaOgq3Tt24GAQjy4g/7BVD3t6zqmY2ieEFWJ6WCVyW+UJQzKfs9
OcLh+3VL2RxEPBUlNYUrRk4Qf3tF6ldZh2zEFxGhR6Be8xn5hAAzsaSCLIhoQCK2
YMizwbfK6hBKBOn5vazKV+CvgSNi05a1WYPrsat9DZp++8rZW9/r+iNX2moB7Wl1
1CjcdYQLZ2T7isVogFfcHzWoiayA0+AiGHy2lkSTYNTdyW8USg6aVuKQ0BtX1eT/
9OZcVbxKguTTUGm54taE9DFHCAu3NI34/gUIqgfhctAnE1IGhBnUmziTjXjgdvPZ
Cf2lnr2+VKASwLUd8ngkYQi0Nkw3X/jdxUH4ZaFnBdpQ+VDdVUlKKrXFuZlPQXIo
SeRY0j/E/o9XSADO+hdIP3mD6EdJWqGMjAoR7MrdPejfCx7vfHcpwjvXll9jbKlB
OZVYe2hAYFFuiks+irkIu/BMQ/M8scMD9W3Azf+N1y166nOcCice5BvCsvah0uym
QAm5DACqAJwDBzMGOsU2dwpRBPCjFaRWwNXGIj7fXxvqJ6WemwlDC19MRZgrzYhE
lKfpx7U/ZOfd+fN0YZUmxTDvI/u7ShJWhp/Xtncnl8kt0uNzDC8gdpYpD11H3DP3
KQnUAB+OyDDvXy2ihTzWlKhfdM23Q214Tp5eN5hdchP3deDeH0ZrFrpeMdfcqltH
RfPR/UAuFKk=
=WaMp
-----END PGP SIGNATURE-----

« Back to bulletins