CVE-2018-15454 (Cisco SIP) Exploit Information

IB-18-20248-CVE-2018-15454 Exploit Attempts Against Government Facilities Sector

TLP: AMBER

Department of Homeland Security

NCCIC US-CERT

Reference Number: IB-18-20248

Report Date: 2018-11-15T22:19:01+00:00

 

Notification:

 

DISCLAIMER: This report is provided “as is” for informational purposes only. The

Department of Homeland Security (DHS) does not provide any warranties of any

kind regarding any information contained within. The DHS does not endorse any

commercial product or service, referenced in this bulletin or otherwise. This

document is distributed as TLP:AMBER: Limited disclosure, restricted to

participants’ organizations. Recipients may only use TLP:AMBER information with

members of their own organization, and with clients or customers who need to

know the information to protect themselves or prevent further harm. For more

information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.

 

Summary:

 

From October 2018, NCCIC analysts have observed network traffic indicating

attempts, by unknown actors against multiple government agencies, to exploit a

vulnerability [CVE-2018-15454] in the Session Initiation Protocol (SIP)

inspection engine of Cisco ASA Software and Cisco FTD Software. This

vulnerability could allow an unauthenticated, remote attacker to cause an

affected device to reload or trigger high CPU usage, resulting in a DoS

condition.

 

The vulnerability is due to improper handling of SIP traffic and affects Cisco

ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later

if SIP inspection is enabled (ENABLED BY DEFAULT). An attacker could exploit

this vulnerability by sending SIP requests designed to specifically trigger this

issue at a high rate on any of the following Cisco products:

 

– 3000 Series Industrial Security Appliance (ISA)

– ASA 5500-X Series Next-Generation Firewalls

– ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600

Series Routers

– Adaptive Security Virtual Appliance (ASAv)

– Firepower 2100 Series Security Appliance

– Firepower 4100 Series Security Appliance

– Firepower 9300 ASA Security Module

– FTD Virtual (FTDv)

 

This activity was observed in the Government Facilities Sector.

 

Analysis:

 

Host

IPv4: 46.249.59.196

Sighted: 2018-10-19 [only single sightings used]

Killchain Phase: Exploitation

Characterization: IP Watchlist

Notes: NCCIC analysts have observed network traffic from this IP address,

related to attempts by unknown actors against multiple government

agencies, to exploit a vulnerability [CVE-2018-15454] in the Session

Initiation Protocol (SIP) inspection engine of Cisco ASA Software and

Cisco FTD Software. This vulnerability could allow an unauthenticated,

remote attacker to cause an affected device to reload or trigger high

CPU usage, resulting in a DoS condition.

 

Attempted scanning/exploit activity will be over port 5060 and will

show a large number of incomplete SIP connections while the

vulnerability is actively being exploited.

 

Open source research indicates this IP is geolocated in the Netherlands

[ASN: AS50673]. Reporting by security vendors indicate this IP has been

involved in scanning, brute force attempts, and other malicious network

activity.

 

Host

IPv4: 5.62.63.223

Sighted: 2018-10-19 [only single sightings used]

Killchain Phase: Exploitation

Characterization: IP Watchlist

Notes: NCCIC analysts have observed network traffic from this IP address,

related to attempts by unknown actors against multiple government

agencies, to exploit a vulnerability [CVE-2018-15454] in the Session

Initiation Protocol (SIP) inspection engine of Cisco ASA Software and

Cisco FTD Software. This vulnerability could allow an unauthenticated,

remote attacker to cause an affected device to reload or trigger high

CPU usage, resulting in a DoS condition.

 

Attempted scanning/exploit activity will be over port 5060 and will

show a large number of incomplete SIP connections while the

vulnerability is actively being exploited.

 

Open source research indicates this IP has a point-of-presence (PoP) in

the United Kingdom [ASN: AS198605] and virtual PoP in the United

States. Reporting by security vendors indicate this IP has been

involved in scanning, brute force attempts, and other malicious network

activity.

 

Host

IPv4: 212.129.19.40

Sighted: 2018-10-19 [only single sightings used]

Killchain Phase: Exploitation

Characterization: IP Watchlist

Notes: NCCIC analysts have observed network traffic from this IP address,

related to attempts by unknown actors against multiple government

agencies, to exploit a vulnerability [CVE-2018-15454] in the Session

Initiation Protocol (SIP) inspection engine of Cisco ASA Software and

Cisco FTD Software. This vulnerability could allow an unauthenticated,

remote attacker to cause an affected device to reload or trigger high

CPU usage, resulting in a DoS condition.

 

Attempted scanning or exploit activity can be observed over port 5060

and shows a large number of incomplete SIP connections while the

vulnerability is actively being exploited.

 

Open source research indicates this IP is geolocated in France [ASN:

AS12876]. Reporting by security vendors indicate this IP has been

involved in scanning, brute force attempts, and other malicious network

activity.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.