An attacker from a remote location could exploit the vulnerability by simply sending an email.
Cisco has patched two critical and high-severity vulnerabilities in its email security appliance software. Both vulnerabilities result in a denial of service (DoS) on affected devices and can be exploited by an attacker sending an email.
Wednesday, the company released 18 fixes for product vulnerabilities, including one critical, one high, and sixteen medium-severity flaws. The most severe of these vulnerabilities, a critical flaw (CVE-2018-15453), has a CVSS score of 8.3 and could lead to “permanent DoS” on affected devices.
Cisco AsyncOS, the software for Cisco Email Security Appliances, Cisco’s security platform for protecting against email-based threats, contains the flaw. Specifically, the software’s Secure/Multipurpose Internet Mail Extensions (S/MIME), a standards-based method for sending and receiving secure, verified email messages, is vulnerable.
Incorrect input validation of S/MIME-signed emails exists in two S/MIME features of the software: a decryption and verification-enabling feature and a public-key harvesting feature.
Inadequate input validation allows an attacker to craft input in a format that is not anticipated by the remainder of the application. When these two S/MIME features are enabled, an attacker could exploit this vulnerability by sending a malicious S/MIME-signed email through a vulnerable device.
Once these S/MIME components receive this unwanted input, the system crashes: Cisco stated, “If decryption and verification or public-key harvesting is configured, the filtering process may crash due to memory corruption and restart, resulting in a DoS condition.”
The software would then attempt to resume processing the same S/MIME-signed email, which would cause the filtering process to crash and restart.
Cisco stated that a successful exploit could allow an attacker to cause a permanent DoS condition. This vulnerability may necessitate a manual recovery of the email security appliance.
The current version of Cisco’s AsyncOS Software for its Email Security Appliance is Version 12; however, Cisco stated that this version is not affected. The company released a chart detailing which versions of AsyncOS are vulnerable to the flaw (below).
| Cisco AsyncOS Software for ESA Major Release | First Fixed Release |
| Before 9.0 | Affected; migrate to 11.0.2-044 |
| 9.0.x | Affected; migrate to 11.0.2-044 |
| 10.0.x | Affected; migrate to 11.0.2-044 |
| 11.0.x | 11.0.2-0441 |
| 11.1.X | 11.1.1-037 or 11.1.2-0232 |
| 12.x | Not vulnerable |
Similarly, Cisco patched (CVE-2018-15460), another high-severity vulnerability with a CVSS score of 8. The flaw is also present in AsyncOS.
Specifically, the bug is caused by the software’s email filtering function. In essence, the software improperly filters email messages containing whitelisted URL references. Whitelisted URLs are the trusted websites of partners or vendors whose webmail would otherwise be blocked by antivirus, anti-spyware, or anti-malware policies.
A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious email containing a large number of whitelisted URLs due to the flaw. Cisco states that this causes the CPU usage of the victim’s device to reach 100 percent, resulting in a denial of service (DoS) condition on the affected device.
According to Cisco’s advisory, “a successful exploit could allow an attacker to cause a sustained DoS condition that would prevent the affected device from scanning and forwarding email messages.”
The company stated that it is unaware of any malicious exploitation of either vulnerability.
