CVE-2021-1501
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to cause a denial of service by sending crafted SIP traffic through affected Cisco ASA and FTD devices. The vulnerability triggers a crash during SIP inspection hash lookups, forcing device reloads. Organizations using Cisco ASA Software or Firepower Threat Defense Software with SIP inspection enabled are affected.
💻 Affected Systems
- Cisco Adaptive Security Appliance (ASA) Software
- Cisco Firepower Threat Defense (FTD) Software
📦 What is this software?
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
Adaptive Security Appliance Software by Cisco
View all CVEs affecting Adaptive Security Appliance Software →
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with repeated crashes and reloads, potentially causing extended network downtime and service unavailability.
Likely Case
Intermittent service disruptions as devices crash and reload, affecting SIP-based communications and potentially other traffic passing through the device.
If Mitigated
Minimal impact if SIP inspection is disabled or devices are patched, with normal operations continuing uninterrupted.
🎯 Exploit Status
Exploitation requires sending crafted SIP packets, which is relatively straightforward for attackers with network access to affected devices.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions available (see Cisco advisory for specific fixed releases)
Vendor Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-sipdos-GGwmMerC
Restart Required: Yes
Instructions:
1. Review Cisco advisory for specific fixed versions for your device model. 2. Download appropriate firmware from Cisco. 3. Backup current configuration. 4. Apply firmware update following Cisco upgrade procedures. 5. Reboot device to complete installation.
🔧 Temporary Workarounds
Disable SIP Inspection
allTemporarily disable SIP inspection to prevent exploitation while patching
policy-map global_policy
class inspection_default
no inspect sip
🧯 If You Can't Patch
- Implement network segmentation to restrict SIP traffic to trusted sources only
- Deploy intrusion prevention systems (IPS) to detect and block malicious SIP traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check if SIP inspection is enabled and compare device version against affected versions in Cisco advisoryCheck Version:
show version | include VersionVerify Fix Applied:
Verify device is running a fixed version from Cisco advisory and confirm SIP inspection functionality📡 Detection & Monitoring
Log Indicators:
- Device crash and reload events
- SIP inspection engine errors
- High volume of malformed SIP packets
Network Indicators:
- Unusual SIP traffic patterns
- Crafted SIP packets with abnormal headers
- Traffic causing hash collision patterns
SIEM Query:
source="asa" OR source="ftd" AND (event_type="crash" OR event_type="reload" OR message="SIP" AND message="inspect")