Shulou(Shulou.com)06/01 Report--

Cisco ASA and FTD software denial of service vulnerabilities, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

0x00 event background

2018-10-31 Cisco officially issued a security warning that a number of devices running Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) were affected. Both software support Session Initiation Protocol (SIP).

A vulnerability in the (SIP) inspection engine is subject to unauthenticated remote attacks that cause affected devices to restart or have a persistently high CPU utilization, resulting in a denial of service (DoS)

The flaw is due to improper handling of SIP traffic. An attacker can exploit this vulnerability by sending a specific SIP request to the affected device at a high rate. Causes the device to crash and restart.

0x01 scope of influence

Cisco Adaptive Security Appliance (ASA) 9.4 and above

Cisco Firepower Threat Defense (FTD) 6.0and above

Affect the following devices

3000 Series Industrial Security Appliance (ISA)

ASA 5500Murx Series Next-Generation Firewalls

ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers

Adaptive Security Virtual Appliance (ASAv)

Firepower 2100 Series Security Appliance

Firepower 4100 Series Security Appliance

Firepower 9300 ASA Security Module

FTD Virtual (FTDv)

SIP inspection is enabled by default for both Cisco ASA and Cisco FTD software. Therefore, the influence is more extensive.

Confirmed that the following devices are not affected

ASA 1000V Cloud Firewall

ASA 5500 Series Adaptive Security Appliances

0x02 repair recommendation

(ASA) the device can check if it is in the affected version with the following command

Ciscoasa# show version | include Version

(FTD) the device can check if it is in the affected version with the following command

Show version

Cisco officials have proposed three solutions to mitigate the impact.

Option 1: block illegal hosts

Users can use access control lists (ACL) to block traffic from specific source IP addresses in the connection table.

After applying the ACL, be sure to clear the existing connections to the source IP using the clear conn address command in exec mode.

Alternatively, you can use the shun command in exec mode to evade the offending host.

This will block all packets from the source IP without changing the configuration.

Please note, however, that restarting the solution will not work.

Option 2: disable SIP checking

Disabling SIP checking will completely avoid the impact of this vulnerability.

But it may not be suitable for all users.

If NAT is applied to SIP traffic, or if all ports required for SIP communication are not opened through ACL, disabling SIP checking destroys the SIP connection.

To disable SIP inspection, configure the following:

Cisco ASA software and Cisco FTD software version 6.2 and later (use Cisco FMC to add the following through the FlexConfig policy in FTD 6.2 and later)

Cisco ASA Software and Cisco FTD Software Releases 6.2and later (in FTD 6.2and later use Cisco FMC to add the following via FlexConfig policy):

Policy-map global_policy

Class inspection_default

No inspect sip

Cisco FTD Software Releases prior to 6.2:

Configure inspection sip disable

Option 3: filter the sending address 0.0.0.0

In many cases, it has been found that the violation traffic has set the sent address to an invalid value of 0.0.0.0.

If the administrator confirms that the violation traffic has the same pattern in their environment (for example, through packet capture acknowledgement), the following configuration can be applied to prevent crashes:

Regex VIAHEADER "0.0.0.0"

Policy-map type inspect sip P1

Parameters

Match message-path regex VIAHEADER

Drop

Policy-map global_policy

Class inspection_default

No inspect sip

Inspect sip P1

In FTD 6.2 and later, use Cisco FMC to add this configuration through the FlexConfig policy.

After reading the above, have you mastered the method of Cisco ASA and FTD software denial of service vulnerabilities? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.