Best Top Reviews Online

A Critical Vulnerability in Cisco’s Email Security Appliance Enables “Permanent DoS”

An attacker from a remote location could exploit the vulnerability by simply sending an email.

Cisco has patched two critical and high-severity vulnerabilities in its email security appliance software. Both vulnerabilities result in a denial of service (DoS) on affected devices and can be exploited by an attacker sending an email.

Wednesday, the company released 18 fixes for product vulnerabilities, including one critical, one high, and sixteen medium-severity flaws. The most severe of these vulnerabilities, a critical flaw (CVE-2018-15453), has a CVSS score of 8.3 and could lead to “permanent DoS” on affected devices.

Cisco AsyncOS, the software for Cisco Email Security Appliances, Cisco’s security platform for protecting against email-based threats, contains the flaw. Specifically, the software’s Secure/Multipurpose Internet Mail Extensions (S/MIME), a standards-based method for sending and receiving secure, verified email messages, is vulnerable.

Incorrect input validation of S/MIME-signed emails exists in two S/MIME features of the software: a decryption and verification-enabling feature and a public-key harvesting feature.

Inadequate input validation allows an attacker to craft input in a format that is not anticipated by the remainder of the application. When these two S/MIME features are enabled, an attacker could exploit this vulnerability by sending a malicious S/MIME-signed email through a vulnerable device.

Once these S/MIME components receive this unwanted input, the system crashes: Cisco stated, “If decryption and verification or public-key harvesting is configured, the filtering process may crash due to memory corruption and restart, resulting in a DoS condition.”

The software would then attempt to resume processing the same S/MIME-signed email, which would cause the filtering process to crash and restart.

Cisco stated that a successful exploit could allow an attacker to cause a permanent DoS condition. This vulnerability may necessitate a manual recovery of the email security appliance.

The current version of Cisco’s AsyncOS Software for its Email Security Appliance is Version 12; however, Cisco stated that this version is not affected. The company released a chart detailing which versions of AsyncOS are vulnerable to the flaw (below).

Cisco AsyncOS Software for ESA Major Release First Fixed Release
Before 9.0 Affected; migrate to 11.0.2-044
9.0.x Affected; migrate to 11.0.2-044
10.0.x Affected; migrate to 11.0.2-044
11.0.x 11.0.2-0441
11.1.X 11.1.1-037 or 11.1.2-0232
12.x Not vulnerable

Similarly, Cisco patched (CVE-2018-15460), another high-severity vulnerability with a CVSS score of 8. The flaw is also present in AsyncOS.

Specifically, the bug is caused by the software’s email filtering function. In essence, the software improperly filters email messages containing whitelisted URL references. Whitelisted URLs are the trusted websites of partners or vendors whose webmail would otherwise be blocked by antivirus, anti-spyware, or anti-malware policies.

A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious email containing a large number of whitelisted URLs due to the flaw. Cisco states that this causes the CPU usage of the victim’s device to reach 100 percent, resulting in a denial of service (DoS) condition on the affected device.

According to Cisco’s advisory, “a successful exploit could allow an attacker to cause a sustained DoS condition that would prevent the affected device from scanning and forwarding email messages.”

The company stated that it is unaware of any malicious exploitation of either vulnerability.

Why Trust Us?

Best Top Reviews Online was founded in 2018 to provide our readers with thorough, unbiased, and independent advice on what to buy. We now have millions of monthly users from all over the world and evaluate over 1,000 products per year.

The article above was written by the BestTopReviewsOnline team, which includes many of the US’s most knowledgeable technical experts. Our team includes well-known writers with extensive experience in mobile phones, computing, technology, photography, and other fields.

Related Stories

  • All Post
  • Best Picks
  • Explainers
  • How To
  • News
  • Versus

Get more info

Deals

Reviews

Best Products

Buying Guides

Contact Us

About Us

We provide a platform for our customers to rate and review services and products, as well as the stores that sell them. We research and compare the most popular brands and models before narrowing it down to the top ten, providing you with the most comprehensive and reliable buying advice to help you make your decision.

Disclaimer

BestTopReviewsOnline.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com. As an Amazon Associate I earn from qualifying purchases.

 

Address & Map

20 S Santa Cruz Ave, Suite 300, Los Gatos, CA 95030, United States

© 2022 BestTopReviewsOnline.com Pty. Ltd. All Rights Reserved. Licensing: All third-party trademarks, images, and copyrights used on this page are for comparative advertising, criticism, or review. As this is a public forum where users can express their opinions on specific products and businesses, the opinions expressed do not reflect those of BestTopReviewsOnline.com.