Attackers target SIP flaws in Cisco firewalls to overload devices

There are no patches or workarounds available for two software bugs found last week

hacking

Malicious actors are exploiting a Session Initiation Protocol-related (SIP) vulnerability in two Cisco products to trigger high CPU usage and take a system offline.

SIP is a signalling protocol used to set up and maintain real-time sessions, such as audio or video calls, online. The flaws, which are the result of incorrect handling of SIP traffic, can be exploited by an attacker "sending SIP requests designed to specifically trigger this issue at a high rate", according to the networking giant.

Advertisement - Article continues below

If exploited correctly, it could cause an affected device to reload, or trigger high CPU usage, leading to a denial-of-service (DoS).

The bug has been found in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) software running on a host of Cisco's physical and virtual appliances. These include the 3000 Series Industrial Security Appliance, Adaptive Security Virtual Appliance, and Firepower 9300 ASA Security Module.

The vulnerability is being exploited if the output of 'show conn port 5060' (where port 5060 on a router is normally reserved for SIP traffic) shows a large number of incomplete SIP connections, and CPU usage is high.

Users can determine whether their software is affected by running the 'show version' command on the UI, with the bug found in ASA version 9.4 or FTD version 6.0 and above.

Advertisement
Advertisement - Article continues below

Other affected appliances include ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, Adaptive Security Virtual Appliance (ASAv), Firepower Series 2100 and 4100 Series Security Appliance, and FTD Virtual (FTDv).

Advertisement - Article continues below

Cisco has said there are no patches available for the bug disclosed last week, nor any workarounds, with mitigation the only option for organisations affected. The company has set out four options for customers who may be under attack.

Disabling SIP inspection altogether will completely close the attack vector - but could break SIP connections. Blocking traffic from a specific IP address, presumed to be that of an attacker, meanwhile can be done using an access control list (ACL).

Users could also apply a filter on a 0.0.0.0 sent-by address since Cisco has seen offending traffic set to this invalid value, or implementing a rate limit on SIP traffic.

The networking giant's products and services are no stranger to abuse, with attackers previously exploiting a vulnerability in up to 168,000 unpatched IoT devices earlier this year to leave political messages.

Cisco first acknowledged the flaws through its Technical Services Advantage (TSA) technical support service, and says it will update its advisory should any patches be made available.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020