CVE-2016-6406 – CISCO reported a critical flaw in email security appliances (ESA)

Cisco issued a security advisory about a vulnerability, tracked as CVE-2016-6406, affecting the Email Security Appliance Internal Testing Interface.

Cisco Systems reported the existence a vulnerability (CVE-2016-6406) in the email security appliances that could be exploited by a remote unauthenticated attacker to gain complete control of the security solution.

The vulnerability is related the Cisco IronPort AsyncOS operating system for which the company issued a security bulletin last week. On Wednesday the company provided a software update that fixes the security issue and further information about it.

The flaw is tied to an internal testing and debugging interface implemented by CISCO that is accessible on the IronPort AsyncOS operating system.

“A vulnerability in Cisco IronPort AsyncOS for Cisco Email Security Appliances (ESA) could allow an unauthenticated, remote attacker to obtain complete control of an affected device. The vulnerability is due to the presence of a Cisco internal testing and debugging interface (intended for use during product manufacturing only) on customer-available software releases.” reads the security advisory issued by CISCO.

“An attacker could exploit this vulnerability by connecting to this testing and debugging interface. An exploit could allow an attacker to obtain complete control of an affected device with root-level privileges,” 

According to CISCO, the Cisco Email Security Appliances (ESA) physical and virtual devices running any of the following software releases are affected by the CVE-2016-6406 vulnerability:

• 9.1.2-023
• 9.1.2-028
• 9.1.2-036
• 9.7.2-046
• 9.7.2-047
• 9.7-2-054
• 10.0.0-124
• 10.0.0-125

CISCO explained that in order to determine whether a vulnerable version of Cisco AsyncOS Software is running on a Cisco ESA, it is possible to use the “version” command in the ESA command-line interface (CLI). The following example shows the results for a device running Cisco AsyncOS Software version 8.5.7-044:

Cisco also reported the existence of a workaround that could allow administrators to block the remote access to vulnerable email security appliances.

“The debugging and testing interface can be disabled by rebooting an affected device. In order to reboot an ESA device, issue the reboot command from the CLI. The interface will be permanently disabled and unavailable once the device has finished rebooting.” added CISCO.

[adrotate banner=”9″]