Cisco Warns of Actively Exploited DoS Flaw in Security Appliances

Cisco Systems is warning customers about an unpatched vulnerability that allows attackers to crash or reboot security devices running its Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software.

The vulnerability, CVE-2018-15454, was discovered during the resolution of a Cisco TAC support case that involved active exploitation of the flaw in the wild. The issue is located in a software engine that’s designed to inspect Session Initiation Protocol (SIP) traffic and can be exploited through specially crafted SIP requests.

DevOps Connect:DevSecOps @ RSAC 2022

Both virtual and physical devices that run Cisco ASA Software Release 9.4 and later or Cisco FTD Software Release 6.0 and later and have SIP inspection enabled are affected. This includes: 3000 Series Industrial Security Appliance (ISA), ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module and FTD Virtual (FTDv).

Successful exploitation triggers high CPU use or a device reload, resulting in a denial-of-service (DoS) condition. Software updates are not yet available and there is no known workaround.

However, some mitigations do exist. These involve disabling SIP inspection completely or using an access control list (ACL) to block traffic from offending IP addresses. The Modular Policy Framework can also be used to implement a rate limit for SIP traffic, but the success of such a policy will depend on each environment.

In the attacks seen so far, the offending traffic used a Sent-by Address of If administrators see such traffic, they can filter it based on this value.

“While the vulnerability described in this advisory is being actively exploited, the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization,” Cisco said in its advisory. “After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread. Customer should reach out to Cisco TAC with this information to determine whether the particular crash was related to exploitation of this vulnerability.”

USB Remains Major Threat Vector for Industrial Facilities

Industrial facilities often isolate their critical systems from the internet or from the general IT network, which is why some threats that target industrial control systems, such as Stuxnet, are specifically designed to spread over USB storage devices.

According to data gathered by Honeywell through one of its Secure Media Exchange (SMX) product, USB remains a significant distribution vector for industrial threats.

The company has detected at least one USB-borne malware threat in nearly half of 50 locations where its product was deployed. Those facilities were spread across four continents and belonged to organizations from the oil and gas, energy, chemical manufacturing, pulp and paper and other industries.

Of the blocked threats, 1 in 4 “had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control,” the company said in a report. Furthermore, 1 in 6 “were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”

Almost 15 percent of the total detected threats were high-profile ones, including Stuxnet, Mirai, TRITON and Wannacry.

“It’s not the presence of these threats that is concerning; on the contrary, these and other threats have been in the wild for some time,” the company said. “Rather, it’s that these threats were attempting to enter industrial control facilities via removable storage devices, in a relatively high density, that is significant.”

Lucian Constantin

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin