Cisco Systems is warning customers about an unpatched vulnerability that allows attackers to crash or reboot security devices running its Adaptive Security Appliance (ASA) Software or Cisco Firepower Threat Defense (FTD) Software.
The vulnerability, CVE-2018-15454, was discovered during the resolution of a Cisco TAC support case that involved active exploitation of the flaw in the wild. The issue is located in a software engine that’s designed to inspect Session Initiation Protocol (SIP) traffic and can be exploited through specially crafted SIP requests.
Both virtual and physical devices that run Cisco ASA Software Release 9.4 and later or Cisco FTD Software Release 6.0 and later and have SIP inspection enabled are affected. This includes: 3000 Series Industrial Security Appliance (ISA), ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4100 Series Security Appliance, Firepower 9300 ASA Security Module and FTD Virtual (FTDv).
Successful exploitation triggers high CPU use or a device reload, resulting in a denial-of-service (DoS) condition. Software updates are not yet available and there is no known workaround.
However, some mitigations do exist. These involve disabling SIP inspection completely or using an access control list (ACL) to block traffic from offending IP addresses. The Modular Policy Framework can also be used to implement a rate limit for SIP traffic, but the success of such a policy will depend on each environment.
In the attacks seen so far, the offending traffic used a Sent-by Address of 0.0.0.0. If administrators see such traffic, they can filter it based on this value.
“While the vulnerability described in this advisory is being actively exploited, the output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization,” Cisco said in its advisory. “After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread. Customer should reach out to Cisco TAC with this information to determine whether the particular crash was related to exploitation of this vulnerability.”
USB Remains Major Threat Vector for Industrial Facilities
Industrial facilities often isolate their critical systems from the internet or from the general IT network, which is why some threats that target industrial control systems, such as Stuxnet, are specifically designed to spread over USB storage devices.
According to data gathered by Honeywell through one of its Secure Media Exchange (SMX) product, USB remains a significant distribution vector for industrial threats.
The company has detected at least one USB-borne malware threat in nearly half of 50 locations where its product was deployed. Those facilities were spread across four continents and belonged to organizations from the oil and gas, energy, chemical manufacturing, pulp and paper and other industries.
Of the blocked threats, 1 in 4 “had the potential to cause a major disruption to an industrial control environment, including loss of view or loss of control,” the company said in a report. Furthermore, 1 in 6 “were targeted specifically against Industrial Control System (ICS) or Internet of Things (IoT) systems.”
Almost 15 percent of the total detected threats were high-profile ones, including Stuxnet, Mirai, TRITON and Wannacry.
“It’s not the presence of these threats that is concerning; on the contrary, these and other threats have been in the wild for some time,” the company said. “Rather, it’s that these threats were attempting to enter industrial control facilities via removable storage devices, in a relatively high density, that is significant.”