ASA SIP inspection vulnerability

[Dieselboy]

Reference: https://www.itnews.com.au/news/cisco-asa-and-firepower-appliances-under-attack-514971?utm_source=feed&utm_medium=rss&utm_campaign=editors_picks

SIP is enabled inspected globally by default. To mitigate the risk of random internet attackers trying to leverage this vulnerability, I suggest to disable SIP inspection. If you cannot disable SIP inspection due to requiring it for your SIP trunks then I suggest to implement the two steps below which allows sip inspection only for your legitimate SIP service provider traffic.

1. First steps are to disable SIP globally in the service policy. Then next, create a new service policy entry that matches traffic between your SIP gateway internal to your firewall and the ITSP or ITSP's (Internet Telephony Service Providers) which provide you your sip trunk(s). In my case I am matching the SIP gateway on my network to any address. You could filter it to the ITSP but I have not done so here. See screenshot of the service policy.

2. The second step is to configure your inbound Access Rule to allow traffic to your SIP gateway only from your 'trusted' ITSP.

The end results are:
SIP inspection disabled for all traffic globally
SIP inspection enabled for legitimate traffic reaching your SIP gateway.

I have been running this config for a while as I need sip inspection disabled for some other sip gateway in my network.

[deanwebb]

^ Important stuff, peeps.