ID CVE-2018-15454 Type cve Reporter cve@mitre.org Modified 2019-10-09T23:35:00
Description
A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition. The vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device. Software updates that address this vulnerability are not yet available.
{"threatpost": [{"lastseen": "2019-10-23T19:43:31", "bulletinFamily": "info", "cvelist": ["CVE-2018-15454"], "description": "Attackers are actively exploiting a zero-day vulnerability in certain Cisco security products, to cause a denial-of-service (DoS) condition.\n\nThe as-yet-unpatched flaw (CVE-2018-15454) has an 8.6 CVSS score and is rated high-severity. It exists in the Session Initiation Protocol (SIP) inspection engine of Cisco\u2019s Adaptive Security Appliance (ASA) software, and in the Cisco Firepower Threat Defense (FTD) software. It allows an unauthenticated, remote attacker to cause an affected device to reload, or it could trigger high CPU usage \u2013 both resulting in a DoS state.\n\nDoS states in security appliances are, of course, a positive development if you\u2019re a cyberattacker looking to penetrate enterprise networks. This essentially takes out the guards ahead of storming the castle.\n\nAccording to an [advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos>) from the networking giant, the vulnerability is due to \u201cimproper handling of SIP traffic.\u201d SIP is a networking protocol used to carry IP traffic across local-area and wide-area networks \u2013 mostly for voice, video and messaging applications but also hardware-appliance traffic. SIP inspection meanwhile provides address translation in message headers and bodies, the dynamic opening of ports, and supports application security and protocol conformance. In other words, it carries out a cornucopia of real-time tasks.\n\nThe problem is that unusually high volumes of traffic can essentially fluster the inspection engine by giving it too much to do. Thus, an attacker could exploit this vulnerability by sending high rates of SIP requests specifically designed to overwhelm an affected device and take it offline.\n\nCisco said that it has seen campaigns in the wild leveraging the flaw, and offered advice for determining if one\u2019s network is under attack. During a campaign, \u201cthe output of show conn port 5060 will show a large number of incomplete SIP connections and the output of show processes cpu-usage non-zero sorted will show a high CPU utilization,\u201d it explained. \u201cSuccessful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of show crashinfo will show an unknown abort of the DATAPATH thread.\u201d\n\nThe vulnerability affects Cisco ASA Software Release 9.4 (and later) and Cisco FTD Software Release 6.0 (and later) if SIP inspection is enabled (which is the default state). Any the following Cisco products running the software are vulnerable: The 3000 Series Industrial Security Appliance (ISA); ASA 5500-X Series Next-Generation Firewalls; ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers; Adaptive Security Virtual Appliance (ASAv); Firepower 2100 and 4100 Series Security Appliances; Firepower 9300 ASA Security Module; and FTD Virtual (FTDv).\n\n**Mitigations**\n\nCisco said that a patch is forthcoming, but didn\u2019t specify when \u2013 and there are also no known workarounds. Fortunately, businesses can take action via a handful of mitigations in the meantime.\n\nThese include disabling SIP inspection completely, which will automatically close the attack vector. However, this would break SIP connections in a number of cases, such as when network address traversal is required, or if not all ports required for SIP communication are opened, according to Cisco.\n\nIf disabling the engine altogether is not appropriate, businesses also can block traffic from the specific source IP address that appears to be sending the offending traffic, using an access control list (ACL). Alternatively, the offending host can be shunned using the shun <ip_address> command in EXEC mode, thus blocking all packets from that source IP without the need for a configuration change. However, it should be noted that Cisco said that an attacker could exploit the vulnerability using spoofed IP packets, so it\u2019s not always possible to pinpoint the source.\n\nA third option has to do with address filtering. \u201cIn observed cases, the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0,\u201d Cisco explained. If an administrator confirms that the offending traffic shows the same pattern, he or she can reconfigure the appliance to block the address.\n\nThe vulnerability can also be mitigated by implementing a rate limit on SIP traffic, using the Modular Policy Framework (MPF). This will place a threshold on the amount of tasks the inspection engine is asked to perform.\n", "modified": "2018-11-02T16:50:54", "published": "2018-11-02T16:50:54", "id": "THREATPOST:C48BE2055FE2AF4DD4C45630F92FFCF9", "href": "https://threatpost.com/cisco-security-appliance-zero-day-found-actively-exploited-in-the-wild/138763/", "type": "threatpost", "title": "Cisco Security Appliance Zero-Day Found Actively Exploited in the Wild", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-03T07:10:18", "bulletinFamily": "info", "cvelist": ["CVE-2018-15454", "CVE-2019-1663"], "description": "Cisco is urging customers to update their wireless VPN and firewall routers, after patching a critical vulnerability that could allow unauthenticated, remote attackers to execute arbitrary code.\n\nThe vulnerability, CVE-2019-1663, has a CVSS score of 9.8 and impacts the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router. These small business routers are used for wireless connectivity in small offices and home offices.\n\n\u201cA successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user,\u201d said Cisco is its [Wednesday advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nSpecifically, the vulnerability exists in the web-based management interface for the three router models. The management interface for these devices is available through a local LAN connection or the remote management feature.\n\nThe glitch stems from the interface, which does not properly double check the user-supplied data sent to it. So an attacker could send malicious HTTP requests to the impacted targeted devices, and ultimately execute code on them. Making matters worse, the attacker could be unauthenticated and remote.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/28090757/cisco-router.png>)\u201cThe vulnerability is reportedly due to improperly validated user input fields through the HTTP/HTTPS user management interface, said Ryan Seguin, engineer with Tenable, in a Wednesday [analysis of the flaw](<https://www.tenable.com/blog/management-interfaces-in-three-models-of-cisco-networking-devices-are-vulnerable-to-rce-attacks>). \u201cCisco has tagged this vulnerability with CWE-119, the designation for a buffer overflow. This means that a pre-authentication user input field on these devices can be manipulated into dropping code into the device\u2019s memory, which it then executes at the system level.\u201d\n\nRouters with the remote-management feature enabled are exposed to a remote attack, Cisco said. The feature is disabled by default, but administrators can check if remote management is enabled by selecting Basic Settings>Remote Management in their router\u2019s web interface.\n\nWhile Cisco did not detail whether the vulnerability was being exploited in the wild, the tech giant released firmware updates for the affected devices that address it.\n\nThe patched software versions are: RV110W Wireless-N VPN Firewall version 1.2.2.1, RV130W Wireless-N Multifunction VPN Router version 1.0.3.45, and RV215W Wireless-N VPN Router version 1.3.1.1.\n\nThe vulnerability was discovered by security researchers Yu Zhang and Haoliang Lu, and T. Shiomitsu of Pen Test Partners.\n\nCisco routers with vulnerabilities \u2013 even those with patches issued for them \u2013 are frequently targeted by attackers. In January, [malicious scanning activity](<https://threatpost.com/scans-cisco-routers-code-execution/141218/>) targeting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers with just-patched vulnerabilities was discovered. And in November, attackers actively exploited a [zero-day vulnerability](<https://threatpost.com/cisco-security-appliance-zero-day-found-actively-exploited-in-the-wild/138763/>) (CVE-2018-15454) in certain Cisco security products, to cause a denial-of-service (DoS) condition.\n", "modified": "2019-02-28T14:27:13", "published": "2019-02-28T14:27:13", "id": "THREATPOST:EE1514D582AFEB8D8646124D21F4A1ED", "href": "https://threatpost.com/cisco-fixes-critical-flaw-in-wireless-vpn-firewall-routers/142284/", "type": "threatpost", "title": "Cisco Fixes Critical Flaw in Wireless VPN, Firewall Routers", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisco": [{"lastseen": "2020-12-24T11:40:52", "bulletinFamily": "software", "cvelist": ["CVE-2018-15454"], "description": "A vulnerability in the Session Initiation Protocol (SIP) inspection engine of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial of service (DoS) condition.\n\nThe vulnerability is due to improper handling of SIP traffic. An attacker could exploit this vulnerability by sending SIP requests designed to specifically trigger this issue at a high rate across an affected device.\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Mitigation options that address this vulnerability are available.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos\"]", "modified": "2018-11-16T21:19:02", "published": "2018-10-31T19:30:00", "id": "CISCO-SA-20181031-ASAFTD-SIP-DOS", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos", "type": "cisco", "title": "Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability", "cvss": {"score": 8.6, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}}], "cert": [{"lastseen": "2020-09-18T20:42:46", "bulletinFamily": "info", "cvelist": ["CVE-2018-15454"], "description": "### Overview \n\nCisco Adaptive Security Appliance (ASA) software and Cisco Firepower Threat Defense (FTD) software fails to properly parse SIP traffic, which can result in a denial-of-service condition on affected devices.\n\n### Description \n\nCisco [Adaptive Security Appliance (ASA)](<https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>) software and Cisco [Firepower Threat Defense (FTD)](<https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html>) software fails to properly parse [SIP](<https://en.wikipedia.org/wiki/Session_Initiation_Protocol>) traffic, which can allow an attacker to trigger high CPU usage, resulting in a denial-of-service condition on affected devices. This vulnerability is exposed if [SIP Inspection](<https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html#ID-2096-00000613>) is enabled on affected devices, which is the default configuration on ASA devices. The Cisco [SIP Inspection](<https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/inspect-voicevideo.html#ID-2096-00000613>) feature is advertised to \"_... enforce the sanity of the SIP messages, as well as detect SIP-based attacks._\" \n \n--- \n \n### Impact \n\nBy causing an affected Cisco device to parse specially-crafted SIP traffic, a remote, unauthenticated attacker may be able to trigger a denial-of-service condition on affected devices. \n \n--- \n \n### Solution \n\nThe CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds: \n \n--- \n \n**Disable SIP Inspection**\n\nAccording to the [Cisco advisory](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos#workarounds>): \n\n\n_Disabling SIP inspection will completely close the attack vector for this vulnerability. However, it may not be suitable for all customers. In particular, disabling SIP inspection would break SIP connections if either NAT is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL._ \n \n_To disable SIP inspection, configure the following:_ \n \n_ Cisco ASA Software and Cisco FTD Software Releases 6.2 and later (in FTD 6.2 and later use Cisco FMC to add the following via FlexConfig policy):_ \n \n`_ policy-map global_policy_` \n`_ class inspection_default_` \n`_ _``**_no inspect sip_**` \n \n_ Cisco FTD Software Releases prior to 6.2:_ \n \n_ _`**_configure inspection sip disable_**` \n--- \n \n### Vendor Information\n\n339704\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Cisco Affected\n\nUpdated: November 01, 2018 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C \nTemporal | 7.4 | E:H/RL:W/RC:C \nEnvironmental | 5.5 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos>\n * <https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html>\n * <https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212420-configure-firepower-threat-defense-ftd.html>\n * <https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-voicevideo.html#ID-2096-00000613>\n * <https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/firewall/asa-99-firewall-config/inspect-voicevideo.pdf>\n * <https://en.wikipedia.org/wiki/Session_Initiation_Protocol>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by Cisco.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2018-15454](<http://web.nvd.nist.gov/vuln/detail/CVE-2018-15454>) \n---|--- \n**Date Public:** | 2018-10-31 \n**Date First Published:** | 2018-11-01 \n**Date Last Updated: ** | 2018-11-05 19:20 UTC \n**Document Revision: ** | 26 \n", "modified": "2018-11-05T19:20:00", "published": "2018-11-01T00:00:00", "id": "VU:339704", "href": "https://www.kb.cert.org/vuls/id/339704", "type": "cert", "title": "Cisco ASA and FTD SIP Inspection denial-of-service vulnerability", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2021-03-01T01:40:25", "description": "According to its version, the Cisco Firepower Threat Defense (FTD)\nsoftware installed on the remote host is affected by a denial of\nservice vulnerability which could allow an unauthenticated, remote\nattacker to cause a reload of the affected system.", "edition": 26, "cvss3": {"score": 8.6, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "published": "2018-11-08T00:00:00", "title": "Cisco Firepower Threat Defense (FTD) Adaptive Security Appliance Denial of Service Vulnerability (cisco-sa-20181031-asaftd-sip-dos)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15454"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:cisco:firepower", "cpe:/a:cisco:firepower_threat_defense"], "id": "CISCO-SA-20181031-ASAFTD-SIP-DOS-FTD.NASL", "href": "https://www.tenable.com/plugins/nessus/118822", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118822);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2020/01/09\");\n\n script_cve_id(\"CVE-2018-15454\");\n script_bugtraq_id(105768);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm43975\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20181031-asaftd-sip-dos\");\n\n script_name(english:\"Cisco Firepower Threat Defense (FTD) Adaptive Security Appliance Denial of Service Vulnerability (cisco-sa-20181031-asaftd-sip-dos)\");\n script_summary(english:\"Checks the version of Cisco Firepower Threat Defense.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The packet inspection software installed on the remote host is\naffected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the Cisco Firepower Threat Defense (FTD)\nsoftware installed on the remote host is affected by a denial of\nservice vulnerability which could allow an unauthenticated, remote\nattacker to cause a reload of the affected system.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?80f71c25\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a fixed version referenced in the Cisco advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-15454\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:firepower\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:firepower_threat_defense\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\", \"cisco_asa_firepower_version.nasl\", \"cisco_enumerate_firepower.nbin\");\n script_require_keys(\"installed_sw/Cisco Firepower Threat Defense\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('audit.inc');\ninclude('misc_func.inc');\ninclude('global_settings.inc');\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = \"Cisco Firepower Threat Defense\";\n\n# Based on the advisory, it seems we're looking only for FTD and not FXOS\napp_info = vcf::get_app_info(app:app);\n\nver = app_info['version'];\n\nif (isnull(ver)) audit(AUDIT_HOST_NOT, app);\n\nif (ver =~ \"^6\\.0\\.[01]($|\\.)\")\n fix = \"6.1.0.7\";\nelse if (ver =~ \"^6\\.1\\.0($|\\.)\")\n fix = \"6.1.0.7\";\nelse if (ver =~ \"^6\\.2\\.0($|\\.)\")\n fix = \"6.2.0.6\";\nelse if (ver =~ \"^6\\.2\\.[12]($|\\.)\")\n fix = \"6.2.2.4\";\nelse if (ver =~ \"^6\\.2\\.3($|\\.)\")\n fix = \"6.2.3.7\";\nelse\n audit(AUDIT_INST_VER_NOT_VULN, app, ver);\n\nif (ver_compare(ver:ver, fix:fix, strict:FALSE) < 0)\n{\n report =\n '\\n Cisco bug ID : CSCvm43975' +\n '\\n Installed release : ' + ver +\n '\\n Fixed release : ' + fix;\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n} else audit(AUDIT_INST_VER_NOT_VULN, app, ver);\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-03-01T01:40:25", "description": "According to its self-reported version the Cisco Adaptive Security\nAppliance (ASA) software running on the remote device is affected by\na denial of service vulnerability which could allow an\nunauthenticated, remote attacker to cause a reload of the affected\nsystem.", "edition": 26, "cvss3": {"score": 8.6, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}, "published": "2018-11-08T00:00:00", "title": "Cisco ASA Denial of Service Vulnerability (cisco-sa-20181031-asaftd-sip-dos)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-15454"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:cisco:adaptive_security_appliance_software"], "id": "CISCO-SA-20181031-ASAFTD-SIP-DOS-ASA.NASL", "href": "https://www.tenable.com/plugins/nessus/118821", "sourceData": "#TRUSTED 03aa78766818e64a67e2046732f4ba3922b4f4ab09e2d27475e9c5fba22471cbac95ea08b8b334b03a6d190074c78ae742030eecf98027c4d086999268ab90009405ef5a35a8122659db527362495f979058238abe39f44042fd0fd1796fdc38f177e60d7ef2624d7dcf2dc73e6cf23856b5151323700982ba426b3d84d7ba4aded53c91ea1c54f6d2f07b3dd789aea4570d513824e36d2e0b5d9f03a6023bfd31b5e1dee1d0763d49088153b2a66ede46c7c4b73db5cb4d0724eab04afc562132d3934dc98dd7f0c3c3f9627db27fab627406c694df5e364d8f700d97fa79a7f42a26ea2f31853dbe54d97f7f63bc5bed3651df2240f14abd096bc1c077a8ddb0b63fa5e197168b2ed4815b1422c9f226ce89a95d736b9cb702fec434bcd7b0f7669d38785c545a0f0465b39e2a624785ec939b9c9a5937989cc73bd95f449e17eeddea3e20e045c6316cda5c3c63284180a0307c25cb8fdf0311143b9a7423c3c39b76df43301e61d84fbbdfcca499981278cd125d7452592df844ccdc5bf61d93c86ddf096e68cfd8441d1e42c9a2822ceb7299522d44d033d6045911944d304e30d89c3d5580f4eaec6ced3f4cbb02edacade19a295ea7ccd9545d46c7e68415290d1630592a7cf5eae67a39faf13423fc1decb4c4254b6c35392d95a61e1484088675904b15bef90ee0a4b12ddca9637d23c5b947b2687618b0432589be\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118821);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2020/01/09\");\n\n script_cve_id(\"CVE-2018-15454\");\n script_bugtraq_id(105768);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm43975\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20181031-asaftd-sip-dos\");\n\n script_name(english:\"Cisco ASA Denial of Service Vulnerability (cisco-sa-20181031-asaftd-sip-dos)\");\n script_summary(english:\"Checks the ASA version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version the Cisco Adaptive Security\nAppliance (ASA) software running on the remote device is affected by\na denial of service vulnerability which could allow an\nunauthenticated, remote attacker to cause a reload of the affected\nsystem.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?80f71c25\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco security\nadvisory cisco-sa-20181031-asaftd-sip-dos.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-15454\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/11/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:adaptive_security_appliance_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"Host/Cisco/ASA\", \"Host/Cisco/ASA/model\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nproduct_info = cisco::get_product_info(name:\"Cisco Adaptive Security Appliance (ASA) Software\");\n\nif (\n product_info.model !~ '^30[0-9][0-9]($|[^0-9])' && # 3000 ISA\n product_info.model !~ '^55[0-9][0-9]-X' && # 5500-X\n product_info.model !~ '^65[0-9][0-9]($|[^0-9])' && # 6500\n product_info.model !~ '^76[0-9][0-9]($|[^0-9])' && # 7600\n product_info.model != 'v' && # ASAv\n product_info.model !~ '^21[0-9][0-9]($|[^0-9])' && # Firepower 2100 SSA\n product_info.model !~ '^41[0-9][0-9]($|[^0-9])' && # Firepower 4100 SSA\n product_info.model !~ '^93[0-9][0-9]($|[^0-9])' # Firepower 9300 ASA\n) audit(AUDIT_HOST_NOT, \"an affected Cisco ASA product\");\n\nvuln_ranges = [\n {'min_ver' : '9.4', 'fix_ver' : '9.4.4.27'},\n {'min_ver' : '9.5', 'fix_ver' : '9.6.4.18'},\n {'min_ver' : '9.7', 'fix_ver' : '9.8.3.16'},\n {'min_ver' : '9.9', 'fix_ver' : '9.9.2.32'},\n {'min_ver' : '9.10', 'fix_ver' : '9.10.1.2'}\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , 'CSCvm43975'\n);\n\ncisco::check_and_report(\n product_info:product_info,\n workarounds:workarounds,\n workaround_params:workaround_params,\n reporting:reporting,\n vuln_ranges:vuln_ranges\n);\n\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}
