Specially crafted emails could crash Cisco ESA devices

Cisco warns of a DoS issue affecting its Email Security Appliance (ESA) product that could be exploited using specially crafted emails.

Cisco ESA products are affected by a DoS vulnerability, tracked as CVE-2022-20653, that resides in the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA.

A remote, unauthenticated attacker can trigger the flaw by sending specially crafted emails to vulnerable devices.

The flaw is caused by insufficient error handling in DNS name resolution, the advisory pointed out that continued attacks could trigger a persistent DoS condition.

“This vulnerability is due to insufficient error handling in DNS name resolution by the affected software. An attacker could exploit this vulnerability by sending specially formatted email messages that are processed by an affected device. A successful exploit could allow the attacker to cause the device to become unreachable from management interfaces or to process additional email messages for a period of time until the device recovers, resulting in a DoS condition.” reads the advisory published by Cisco. “Continued attacks could cause the device to become completely unavailable, resulting in a persistent DoS condition.”

The issue only impacts Cisco ESA products running AsyncOS Software with the DANE feature (which is disabled by default) enabled and with the downstream mail servers configured to send bounce messages.

“To determine whether DANE is configured, check the web UI page Mail Policies > Destination Controls > Add Destination and verify whether the DANE Support option is enabled.” continues the advisory.

The company released security patches (Cisco AsyncOS Software Release 13.5.4.102) and also workarounds to address the vulnerability. In order to prevent the exploitation of this bug, customers may configure bounce messages from Cisco ESA instead of from downstream dependent mail servers.

The following table reports appropriate fixed software releases that fix this issue:

Cisco AsyncOS Software Release	First Fixed Release
12.5 and earlier	Migrate to a fixed release.
13.0	13.0.3
13.5	13.5.4.1021
14.0	14.0.2.020

The vulnerability was reported by Cesare Auteri, Steven Geerts, John-Paul Straver, and Roy Wiss of Rijksoverheid Dienst ICT Uitvoering (DICTU).

The good news is that Cisco PSIRT is not aware of attacks exploiting this issue in the wild.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CISCO ESA)

[adrotate banner=”5″]

[adrotate banner=”13″]