Cisco ASA and Firepower appliances under attack

Cisco is warning that a vulnerability in the software on its enterprise Adaptive Security Appliances (ASAs) and Firepower firewalls is being exploited in the wild, for denial of service attacks that can crash the devices.

The vulnerability stems from incorrect handling of Session Initiation Protocol (SIP) traffic by the inspection engine in Cisco's ASA Software Release 9.4 and FTD Software Release 6.0 and later versions.

SIP is used to set up voice over internet protocol phone calls.

Remote attackers can crash ASA and Firepower devices by sending large amounts of SIP requests. Large volumes of SIP traffic can also cause ASA and Firepower appliances to  reload, or trigger high processor usage.

If issuing the command show conn port 5060 on ASA and Firepower appliances reveals a high number of incomplete SIP connections, the device in question is likely under active attack. 

Furthmore, the show processes cpu-usage non-zero sorted command will show high processor utilisation.

No patches are available yet from Cisco to address the vulnerability.

Customers with ASA and Firepower devices can mitigate against the vulnerability by switching off SIP inspection or, blocking attackers or filtering out offending traffic with the invalid Sent-by Address set to 0.0.0.0, Cisco advised.

The company said the following products running ASA and FTD software are vulnerable if SIP inspection is enabled:

• 3000 Series Industrial Security Appliance (ISA)
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 2100 Series Security Appliance
• Firepower 4100 Series Security Appliance
• Firepower 9300 ASA Security Module
• FTD Virtual (FTDv)