Resolution:

Please refer to the below link and navigate to the “Resolution” section for further assistance on the same:

https://knowledge.digicert.com/alerts/ALERT2566.html

2) Cisco Denial of Service Vulnerability

Security researchers at Cisco have revealed the existence of a zero-day vulnerability (CVE-2018-15454) affecting products that run the Adaptive Security Appliance (ASA) and Firepower Threat Defence (FTD) software.

Cisco encountered and discovered the vulnerability while analyzing support cases. This vulnerability affects Cisco ASA Software Release 9.4 and later, and Cisco FTD Software Release 6.0 and later only if Session Initiation Protocol (SIP) inspection is enabled and the software is running.

This vulnerability could allow an unauthenticated remote attacker to reload or trigger high CPU on affected devices, resulting in a denial of service (DoS) condition.

Vulnerability Description:

The vulnerability resides in the SIP inspection engine of ASA and FTD software and has occurred due to improper handling of the SIP traffic. An attacker could exploit this vulnerability by sending multiple SIP requests, designed to specifically trigger this issue, at a high rate across an affected device.

While the vulnerability described is being actively exploited, the output of “show connection” on port 5060 will show a large number of incomplete SIP connections and the output of “show processes” CPU-usage non-zero sorted will show high CPU utilization.

Successful exploitation of this vulnerability can also result in the affected device crashing and reloading. After the device boots up again, the output of the show crashinfo command will display an unknown abort of the DATAPATH thread. Customer should reach out to Cisco TAC with this information to determine whether the particular crash was related to exploitation of this vulnerability.

Remediation/Mitigation Options:

Option 1:

Block traffic from the specific source IP address seen in the connection table using an access control list (ACL). After applying the ACL, make sure to clear existing connections for that source using the clear conn address <ip_address> command in EXEC mode. Alternatively, the offending host can be shunned using the shun <ip_address> command in EXEC mode. This will block all packets from that source IP without the need for a configuration change. However, please be aware that shunning does not persist across the reboot.

Option 2:

Disabling SIP inspection will completely close the attack vector for this vulnerability. However, it may not be suitable for all customers. In particular, disabling SIP inspection would break SIP connections if either NAT is applied to SIP traffic or if not all ports required for SIP communication are opened via ACL.

To disable SIP inspection, configure the following:

  • Cisco ASA Software and Cisco FTD Software Releases 6.2 and later (in FTD 6.2 and later use Cisco FMC to add the following via FlexConfig policy):
policy-map global_policy

class inspection_default

no inspect sip
  • Cisco FTD Software Releases prior to 6.2:
configure inspection sip disable

Option 3:

In many cases, the offending traffic has been found to have the Sent-by Address set to the invalid value of 0.0.0.0. If an administrator confirms that the offending traffic shows the same pattern in their environment (e.g. confirmed via packet capture), the following configuration can be applied to prevent the crash:

regex VIAHEADER "0.0.0.0"

policy-map type inspect sip P1

parameters

match message-path regex VIAHEADER

   drop

policy-map global_policy

class inspection_default

   no inspect sip

   inspect sip P1

In FTD 6.2 and later, use Cisco FMC to add this configuration via FlexConfig policy.

3) Windows Zero-Day Vulnerability

The zero-day, known as CVE-2018-8589, exploits the Windows Win32k component. Microsoft classifies the issue as a “Privilege Escalation” vulnerability. This vulnerability requires that before an attacker can use this zero-day to gain elevated privileges, they will need to find a way to infect a system and run malicious code(s) on it using other exploits.

An attacker who successfully exploits this vulnerability could install programs, view, change, delete data, or create new accounts on the affected system(s) with complete user rights.

Highlights of the Latest Microsoft Tuesday Patch

Microsoft fixed 64 vulnerabilities with the release of its security updates for November, of which 12 were labelled as “Critical”. During the previous month, Microsoft patched CVE-2018-8453, a zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor.

The first vulnerability, CVE-2018-8584, is an Elevation of Privilege vulnerability involving Advanced Local Procedure Call. Another public vulnerability (CVE-2018-8566) is a BitLocker Security Feature Bypass vulnerability which requires the attacker gaining physical access to the target system.

Microsoft’s Chakra JavaScript engine, which is generally used in Microsoft Edge web browser, also had its own updates, where eight critical vulnerabilities were addressed, including CVE-2018-8588, a Chakra Scripting Engine Memory Corruption bug.

Recommendations:

  • Install patches and updates for devices via the recommended path, as recommended by the vendor.
  • Run software/tools with least privileges while still maintaining functionality.
  • Avoid handling files from unknown sources.
  • Block external access to the network perimeter unless required.

As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.

Blog By:

Shaikh Azhar, Cyber Security Analyst at Help AG