Overview
Recently, Cisco released an official security advisory to announce fixes for multiple high-risk vulnerabilities, which could cause a denial of service and remote code execution.
Details of this vulnerability can be found at the following link:
https://tools.cisco.com/security/center/publicationListing.x
Vulnerability Description
| CVE ID | CVSS 3.0 | Vulnerability Description |
| CVE-2018-15454 | 8.6 | Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software Denial-of-Service Vulnerability |
| CVE-2018-16986 | 8.8 | Texas Instruments (TI) Bluetooth Low Energy (BLE) Remote Code Execution Vulnerability |
CVE-2018-15454
The Session Initiation Protocol (SIP) inspection engine of Cisco ASA Software and Cisco FTD Software is prone to a vulnerability, which allows an unauthenticated remote attacker to cause an affected device to reload or trigger high CPU, resulting in a denial-of-service attack.
The vulnerability is due to improper handling of SIP traffic. An attacker could trigger this vulnerability by sending crafted SIP requests to a vulnerable device. By default, SIP inspection is enabled on both Cisco ASA Software and Cisco FTD Software.
Affected Products:
This vulnerability affects Cisco ASA Software Release 9.4 and later and Cisco FTD Software Release 6.0 and later if SIP inspection is enabled and the software is running on any of the following Cisco products:
- 3000 Series Industrial Security Appliance (ISA)
- ASA 5500-X Series Next-Generation Firewalls
- ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
- Adaptive Security Virtual Appliance (ASAv)
- Firepower 2100 Series Security Appliance
- Firepower 4100 Series Security Appliance
- Firepower 9300 ASA Security Module
- FTD Virtual (FTDv)
Solution:
Cisco has not provided any software update for fixing this vulnerability yet; however, there are four mitigation options.
- Disable SIP inspection.
- Block the offending host(s).
- Filter on send-by address of 0.0.0.0.
- Rate limit SIP traffic.
For details about these mitigation options, see Workarounds at the following link.
Reference link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos
CVE-2018-16986
On November 1, 2018, Armis announced the presence of a remote code execution vulnerability in the BLE Stack on TI chips CC2640 and CC2650.
When BLE is enabled on an affected device, an attacker in close proximity could exploit the vulnerability by broadcasting malformed BLE frames.
Affected Products:
| Product | Cisco Bug ID | Fixed Release Availability |
| Cisco 1540 Aironet Series Outdoor Access Points | CSCvk44163 | 8.8.100.0 |
| Cisco 1800i Aironet Access Points | CSCvk44163 | 8.8.100.0 |
| Cisco 1810 Aironet Access Points | CSCvk44163 | 8.8.100.0 |
| Cisco 1815i Aironet Access Points | CSCvk44163 | 8.8.100.0 |
| Cisco 1815m Aironet Access Points | CSCvk44163 | 8.8.100.0 |
| Cisco 1815w Aironet Access Points | CSCvk44163 | 8.8.100.0 |
| Cisco 4800 Aironet Access Points | CSCvk44163 | 8.8.100.0 |
| Meraki MR30H AP | N/A | MR 25.13 and later |
| Meraki MR33 AP | N/A | MR 25.13 and later |
| Meraki MR42E AP | N/A | MR 25.13 and later |
| Meraki MR53E AP | N/A | MR 25.13 and later |
| Meraki MR74 | N/A | MR 25.13 and later |
Solution:
Cisco has released corresponding software updates for the preceding affected products. Users of affected products are advised to download the updates as soon as possible.
Reference link:
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181101-ap
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit:
https://www.nsfocusglobal.com
NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.
