ASA SIP inspection vulnerability

Started by Dieselboy, November 01, 2018, 10:52:54 PM

Previous topic - Next topic

Dieselboy

Reference: https://www.itnews.com.au/news/cisco-asa-and-firepower-appliances-under-attack-514971?utm_source=feed&utm_medium=rss&utm_campaign=editors_picks

SIP is enabled inspected globally by default. To mitigate the risk of random internet attackers trying to leverage this vulnerability, I suggest to disable SIP inspection. If you cannot disable SIP inspection due to requiring it for your SIP trunks then I suggest to implement the two steps below which allows sip inspection only for your legitimate SIP service provider traffic.

1. First steps are to disable SIP globally in the service policy. Then next, create a new service policy entry that matches traffic between your SIP gateway internal to your firewall and the ITSP or ITSP's (Internet Telephony Service Providers) which provide you your sip trunk(s). In my case I am matching the SIP gateway on my network to any address. You could filter it to the ITSP but I have not done so here. See screenshot of the service policy.

2. The second step is to configure your inbound Access Rule to allow traffic to your SIP gateway only from your 'trusted' ITSP.

The end results are:
SIP inspection disabled for all traffic globally
SIP inspection enabled for legitimate traffic reaching your SIP gateway.

I have been running this config for a while as I need sip inspection disabled for some other sip gateway in my network.

deanwebb

Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.