CVE-2018-15454 (Cisco SIP) Exploit Information
IB-18-20248-CVE-2018-15454 Exploit Attempts Against Government Facilities Sector
TLP: AMBER
Department of Homeland Security
NCCIC US-CERT
Reference Number: IB-18-20248
Report Date: 2018-11-15T22:19:01+00:00
Notification:
DISCLAIMER: This report is provided “as is” for informational purposes only. The
Department of Homeland Security (DHS) does not provide any warranties of any
kind regarding any information contained within. The DHS does not endorse any
commercial product or service, referenced in this bulletin or otherwise. This
document is distributed as TLP:AMBER: Limited disclosure, restricted to
participants’ organizations. Recipients may only use TLP:AMBER information with
members of their own organization, and with clients or customers who need to
know the information to protect themselves or prevent further harm. For more
information on the Traffic Light Protocol, see http://www.us-cert.gov/tlp.
Summary:
From October 2018, NCCIC analysts have observed network traffic indicating
attempts, by unknown actors against multiple government agencies, to exploit a
vulnerability [CVE-2018-15454] in the Session Initiation Protocol (SIP)
inspection engine of Cisco ASA Software and Cisco FTD Software. This
vulnerability could allow an unauthenticated, remote attacker to cause an
affected device to reload or trigger high CPU usage, resulting in a DoS
condition.
The vulnerability is due to improper handling of SIP traffic and affects Cisco
ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later
if SIP inspection is enabled (ENABLED BY DEFAULT). An attacker could exploit
this vulnerability by sending SIP requests designed to specifically trigger this
issue at a high rate on any of the following Cisco products:
– 3000 Series Industrial Security Appliance (ISA)
– ASA 5500-X Series Next-Generation Firewalls
– ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600
Series Routers
– Adaptive Security Virtual Appliance (ASAv)
– Firepower 2100 Series Security Appliance
– Firepower 4100 Series Security Appliance
– Firepower 9300 ASA Security Module
– FTD Virtual (FTDv)
This activity was observed in the Government Facilities Sector.
Analysis:
Host
IPv4: 46.249.59.196
Sighted: 2018-10-19 [only single sightings used]
Killchain Phase: Exploitation
Characterization: IP Watchlist
Notes: NCCIC analysts have observed network traffic from this IP address,
related to attempts by unknown actors against multiple government
agencies, to exploit a vulnerability [CVE-2018-15454] in the Session
Initiation Protocol (SIP) inspection engine of Cisco ASA Software and
Cisco FTD Software. This vulnerability could allow an unauthenticated,
remote attacker to cause an affected device to reload or trigger high
CPU usage, resulting in a DoS condition.
Attempted scanning/exploit activity will be over port 5060 and will
show a large number of incomplete SIP connections while the
vulnerability is actively being exploited.
Open source research indicates this IP is geolocated in the Netherlands
[ASN: AS50673]. Reporting by security vendors indicate this IP has been
involved in scanning, brute force attempts, and other malicious network
activity.
Host
IPv4: 5.62.63.223
Sighted: 2018-10-19 [only single sightings used]
Killchain Phase: Exploitation
Characterization: IP Watchlist
Notes: NCCIC analysts have observed network traffic from this IP address,
related to attempts by unknown actors against multiple government
agencies, to exploit a vulnerability [CVE-2018-15454] in the Session
Initiation Protocol (SIP) inspection engine of Cisco ASA Software and
Cisco FTD Software. This vulnerability could allow an unauthenticated,
remote attacker to cause an affected device to reload or trigger high
CPU usage, resulting in a DoS condition.
Attempted scanning/exploit activity will be over port 5060 and will
show a large number of incomplete SIP connections while the
vulnerability is actively being exploited.
Open source research indicates this IP has a point-of-presence (PoP) in
the United Kingdom [ASN: AS198605] and virtual PoP in the United
States. Reporting by security vendors indicate this IP has been
involved in scanning, brute force attempts, and other malicious network
activity.
Host
IPv4: 212.129.19.40
Sighted: 2018-10-19 [only single sightings used]
Killchain Phase: Exploitation
Characterization: IP Watchlist
Notes: NCCIC analysts have observed network traffic from this IP address,
related to attempts by unknown actors against multiple government
agencies, to exploit a vulnerability [CVE-2018-15454] in the Session
Initiation Protocol (SIP) inspection engine of Cisco ASA Software and
Cisco FTD Software. This vulnerability could allow an unauthenticated,
remote attacker to cause an affected device to reload or trigger high
CPU usage, resulting in a DoS condition.
Attempted scanning or exploit activity can be observed over port 5060
and shows a large number of incomplete SIP connections while the
vulnerability is actively being exploited.
Open source research indicates this IP is geolocated in France [ASN:
AS12876]. Reporting by security vendors indicate this IP has been
involved in scanning, brute force attempts, and other malicious network
activity.
Leave a Reply
Want to join the discussion?Feel free to contribute!